I’m on a short-term contracting gig, trying to patch some vulnerabilities in their legacy code. The application I’m working on is a combination of Classic ASP (VBScript) and .Net 2.0 (C#). One of the tools they have purchased is Fortify 360.
Here is a current classic ASP page in the application:
<%@ Language=VBScript %>
<%
Dim var
var = Request.QueryString("var")
' do stuff
Response.Redirect "nextpage.asp?var=" & var
%>
I know, I know, short and very dangerous.
So we wrote some (en/de)coders and validation/verification routines:
<%@ Language=VBScript %>
<%
Dim var
var = Decode(Request.QueryString("var"))
' do stuff
if isValid(var) then
Response.Redirect "nextpage.asp?var=" & Encode(var)
else
'throw error page
end if
%>
And still Fortify flags this as vulnerable to Header Manipulation. How or what exactly is Fortify looking for?
The reason I suspect that Fortify is looking for specific keywords is that on the .Net side of things, I can include the Microsoft AntiXss assembly and call functions such as GetSafeHtmlFragment and UrlEncode and Fortify is happy.
Any advice?
Jarret R is right; you will need to use the rules builder to create a Dataflow Cleanse rule; specify the function name as lowercase and the language as “vb”.
Your rule should look something like this: