Classic ASP Design Mistakes: OWASP & The Open Web Application Security Project

Who the hell still codes in old school ASP?

I still see classic ASP used for rapid prototyping and I work for a large org that had lots of old code all over the place so it is not uncommon to come across it as a professional software developer.

I get to work on and support a lot of stuff in my day job. C# MVC applications, Data Warehouses,, Cloud Stuff, Legacy Code and how to tie all these things together.

ASP may be an old technology but I would suggest there a lot of reasons to use it including teaching computing programming and web development, prototyping and inexpensive solutions for businesses.

You can run it on your Windows 7 and later PCs and runs on every new Microsoft server I’ve encountered and it won’t cost your company a dime, it is already built-in.

Some others Devs scoff at using Classic ASP but it really does have quite a lot to offer and it does all of it with just 7 objects. The simplicity is its power, you can still do a lot of “bread and butter” web functionality including AJAX calls with classic ASP.

I’m not here to debate whether developing in Classic ASP is either good or bad but I’ll say in my defense, you have to pick a tech stack and stick to it long-term to get traction on a big project like my side gig, which I’ve been working on in my spare time for 21 years now.

I really felt the need to pick a technology or two or three and just get really good at those and make a bet on which technologies would be in production the longest so I would not be slowed by having to learn new languages, frameworks, databases and operating systems all the time.

So far I’ve guessed right.  Over the years I’ve added PHP, Python and some others but form more of back end processing stuff.  ASP is always sitting on top with web services under the hood written in any language.

If you’re still coding in ASP or you would like to learn.

Check out the tutorials on the W3Schools website.

Also make sure you’re coding your Classic ASP as securely as possible.

The OWASP site was very helpful with their documentation on ASP coding errors to watch out for and brought some potential security issues to my attention and am better for it.

Make sure to learn about the Open Web Application Security Project and check out their references on the most common ASP designs that affect security.

Improve Your Developer Skills by Reading Bug Bounty Reports

I’m a professional software developer who likes to dabble in hacking.

I recently started spending time seeking out information security enthusiasts and hacking professionals who publish reports on their bug bounty work.

If you’re not familiar with bug bounties, the simplest explanation is someone putting up a prize or bounty for bugs found on a specific application / website.

Most of the time, bug bounties are official events where you register and are given guidelines in order to collect the bounty and that typically includes a good write up or report on how your discovered and exploited the bug and what type of bug it would be classifieds in to, like a “reflected XSS” cross-site scripting bug.

I’m going to use this bug discovery report from Vedant Tekale also known as “@Vegeta” on Twitter as an excellent bug bounty type of report where you can see the steps a hacker / attacker or bug bounty hunter would take to see if your website has a vulnerability that can be exploited.

As a software developer interested in creating secure applications for our users, we should always be aware of what tactics and techniques a bad actor might use against the products and features we are building.

Vedant’s write up is basically a step by step of what hackers would be looking for. First, look for bugs like XSS, open redirect, server-side request forgery (SSRF), Insecure direct object references (IDOR) but they found nothing.

With persistence, Vedant kept at it and found a bug in the password reset functionality where the password was reset feature was resetting the password to a brand new password on every forgot password attempt.

Also, rate limiting seemed to be missing as 88 password reset attempts went unchallenged so we guessing there was no rate limiting at all.

As a developer with a focus on security, I highly recommend adding reading bug bounty reports to your professional reading list. It will be a big eye opener for you if you’ve never tried hacking a web application before.

I’m on day 5 of chemo treatment for skin cancer and I think this is all I have in the tank tonight but I’m glad I got this blog post out before I have to put another round of chemo on my face for the night. It’s not pleasant. :-\

Hope this helps somebody. 😉