This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Classic ASP Security Project
PROJECT IDENTIFICATION | |||||||
---|---|---|---|---|---|---|---|
Project Name | OWASP Classic ASP Security Project | ||||||
Short Project Description | This project aims to create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries. More specifically:
| ||||||
Project key Information | Project Leader Juan Carlos Calderon |
Project Contributors (if any) |
Mailing list Subscribe here Use here |
License Creative Commons Attribution Share Alike 3.0 |
Project Type Tool |
Sponsors OWASP SoC 08 |
Release Status | Main Links | Related Projects |
---|---|---|
OWASP Classic ASP ESAPI ZIP |
Overview
Classic ASP 2.0 and 3.0 applications are still largely used as this technology is more than 10 years old and was largely used. there are thousands of sites on the wild that need guidance on the security arena. This is where OWASP can come up and provide help for “making the Web a better place” and continue spreading the word on security. I have always be a passionate of the technology (regardless of its inconveniences such as being old and DLL-hell prone) and I am really exited on the idea of sharing my knowledge of this area to the world and what best that though OWASP.
Objectives
Create a secure framework for Classic ASP application by complementing existing OWASP projects with documentation for this particular technology and the creation of security libraries.
Deliverables and Progress
Activity | Status |
---|---|
| Done - March 16th, 2009 |
| Done - Jun 8, 2008 |
| Done - Jun 12, 2008 |
| Done - Aug 3rd, 2008 |
| Done - Aug 7th, 2008 |
Installing and Using the Software
Stinger
Stinger 1.0 for Classic ASP is implemented in pure VBScript code, thus there is no need to install any software other than MSXML (you usually you have it as part of IE) in order for it to work given that it has extensive use of XML.
- Unzip StingerASP1.0.zip
- Start creating rule files on the
/rules
folder named after your files. For example, you would create aDefault.svdl.asp
rules file for yourDefault.asp
page. - Include the
Stinger.asp
page in yourdefault.asp
page - Instantiate Stringer class and call the validate method
I strongly recommend you see the example default.asp
page included in the zip file it is very self explanatory. Also the Default.svdl.asp
include examples of how to create rules for input fields.
Notice: If you make use of complex dynamic pages with variable number of fields you can use Programatic rules to handle the different scenarios you are handling in the single page. You will see an example of it in the comments into the default.asp
sample page.
ESAPI (Draft)
Classic ASP for ESAPI uses a modified version of ESAPI for .NET as a baseline (thus you will need .NET 2.0 to run it) for some important operations that would be hard or impossible to implement, like encryption, using pure VBScript. So here are the steps for it to work:
- Unzip OWASP_Classic_ASP_ESAPI.zip
- Open the
Owasp.Esapi.csproj
project with Visual Studio 2005 or ahead and compile it (notice you will be requested a password, that password is on aOWASP_Key_Pass.txt
text file on the main folder. Also notice the password is not used for security reasons, but only to avoid conflicts of versions on the DLLs) - Once that you compiled the project successfully it will register itself to be used and the default.asp page should work fine.
All the methods implemented in the default.asp are fully implemented and are usable, unless otherwise is explained in the default.asp page.
Feedback
'Notice that although I tested the software created as part of this project, It might be not stable enough for production so I recommend you to make additional and extensive testing before deploying, at least until the project reaches release level
Let me know about any issue you face so I can improve the implementation, a Google code repository will be available soon.