hey all. i have an ASP form (http://www.eddiewalter.com/staging/contact.aspx) that i would like to make secure. how do i go about doing this?

Technically this is a question for the .net forum, but a lot of the concepts are the same, This thread will probably be moved, and there are .net specific security techniques and practices. But I'll give the resident experts some time to weigh in on general security issues.

But it's really difficult to give you much useful advice without knowing more than just what the form looks like. What do you do when the submit button is clicked? It's almost certain you stick the form fields in a database ... what type, specifically? Of course it would compromise security to say that in public, but on the other hand, if you're using a database engine that allows comments, it's important you either don't allow the comment marker ( -- or /* and */ for SQL Server ), or talk to the database through parameters.

I entered "Forrest>" as a first name, clicked submit, and was shown a 404. That suggests you've turned off the basic .net security that examines user input. The idea is that a user could type in a malicious java script and get you to broadcast it down to other clients of yours, so any input with angled brackets should through an exception. Anyway, there are other things the security screening that's turned off does ... I would give that a lot of thought if your goal is to secure the application.

actually, the form is just sent via email to me. here's the code:

Code:

<%@ Page aspcompat=true %>
<%
Dim strName, strEmail, strTelephone, strAddress, strCity, strComments, myMail
strName = Request.Form("first_name") & " " & Request.Form("last_name")
strEmail = Request.Form("email")
strTelephone = Request.Form("telephone")
strAddress = Request.Form("address")
strCity = Request.Form("city")
strComments = Request.Form("myMail")
 myMail = CreateObject("CDO.Message")
    myMail.From= Trim(strEmail)
    myMail.To= "deleted my email to avoid spam"
    myMail.Subject="North Texas Real Estate inquiry from " & Trim(strName)
    myMail.TextBody= "Name: " & Trim(strName) & VbCrLf & "Email: " & Trim(strEmail) & VbCrLf & "Telephone: " & VbCrLf & "Address: " & Trim(strAddress) & VbCrLf &  "City: " & Trim(strCity) & VbCrLf & "Comments: " & Trim(strComments)
 
 myMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/con...tion/sendusing") = 2
 myMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/con...ion/smtpserver") = "127.0.0.1"
myMail.Configuration.Fields.Item ("http://schemas.microsoft.com/cdo/con...smtpserverport") = 25
myMail.Configuration.Fields.Update
myMail.Send
 myMail = Nothing
Response.Redirect ("thankyou.aspx")
%>

this post just got moved to the .net forum. i just wanted to mention that the form is coded in classic asp. i don't know .net.

Interesting ... I didn't move it, actually; I was planning to, after a few of the regulars had a chance to give you some advice. But aspx as a page extension is asp.net, not asp classic or asp 3.0, which is what the other forum is for.

What specifically are you worried about, security wise?

well, one of the things that i want to add to the site is a "get pre-approved" form which i want to be secure.

You're not saving the info to a database? Really?

no. not at this time. i may in the future.

You might want to make that future tomorrow, but that's a different story.

It looks like your main concern is either that you could send one of your staff a virus? Or that an eavesdropper could read the message in transit? Something else?

You can prevent malicious scripts by enabling the built-in security, or just using replace functions to get rid of < and > characters. That will prevent a call to an external javascript that could run if your recipient uses a web interface to check their email.

You can use SSL to protect the data in transit. That means installing a certificate on the server, and then using https://example.com

If you're using asp.net, and determined to use emails, you might want to marshal the calls to actually send the email over to a single background thread, to prevent denial of service attacks. That would also make the page a little more responsive.

On that note, you probably want to make sure the same person can't send more than maybe three or five emails in a day. You can use sessions or an application-level hashtable to track IP addresses.

That's what comes to mind.

wow. way over my head. my biggest concern is just preventing an eavesdropper from reading it in transit. i'll get an SSL certificate for that.

and i'm pretty sure i can figure out how to replace the < and >. Or..... how do you turn on the built in security? although i'm not real concerned about scripting. all of the emails come directly to me via Outlook. and i have my outlook pretty secure.

beyond that, your last 2 ideas are above my head. would you care to explain more?

Try VbCrLf & "Comments: " & Replace(Trim(strComments), "<", "&lt;") in asp classic, or VbCrLf & "Comments: " & Trim(strComments).Replace(">", "&gt;") in .net for starters. But it sounds like that's not much of a concern. It's been a while since I've turned the built-in validation on or off ... it's a page directive, but I can't remember which one; probably also in web.config. Searching on MSDN shout be fruitful.

Once the email is created on the web server with your asp code, and then sent ... is this inside your own private network? There are two "in transit" paths - from the client's web browser to your web server, then from your mail server to the recipient's Outlook box. An SSL cert will secure the first part; if the second happens inside your network, you're okay on that end.

A denial of service attack is when a hacker tries to bring down a web site by pegging the CPU. You removed the email address to prevent spam; imagine instead if some punk finds your page, and keeps hitting submit and refresh. That's not just spam, it's going to slow your site down, because creating and sending an email is a pretty "expensive" or slow thing to do. I wasn't sure what exactly you were trying to secure, so making general suggestions. Those last two are pretty elaborate, and mainly help with just one specific issue.

ok. i'll update the asp code to replace the <. but it looks to me like that tells it to replace < with <. am i reading it wrong?

i don't think that the email is sent inside my own private network. it's all done on a shared server.