Can I detect what URL the user has entered in the address bar?

[PSchubert]

Hi all,

I'm using classic asp, and I want to screen against url manipulation. I'd like to capture what the user has entered in the address/location bar before it is executed on the server, and if it doesn't match a whitelist, redirect. If there's a way to do it, I know I'll find out here, because you people rock!

Thanks.

 

[johnwm]

Have a look at

http://www.asp101.com/samples/servvars.asp

If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[PSchubert]

Thanks for your response, johnwm. I'd come across that page previously in my searches, but I didn't succeed applying it to my need. For example: let's say I have a database at

http://www.website.com/db/database.mdb.

I'd want to prevent a user accessing that file from typing that URL into their browser's address bar, so between them pressing enter and the server processing the request, I'd want to intervene with the screening. Or, let's say there is a hacker who discovers a way to gain unauthorized access by typing certain unpredictable malicious strings into the address bar and pressing enter. I would want to intercept and screen out that attempt. The problem on which I am stumped is how do I use a script in my document to identify the string in the client's browser's address bar when the client's browser has the focus, and the document doesn't? Now that I've phrased it that way for the first time, it sounds like it's not possible! But I've learned enough to believe that anything is possible.

 

[johnwm]

I fear you are trying to solve the wrong problem.
1. You should not have your database in any directory that is publicly accessible.
2. Nothing you can do will prevent hackers from typing certain unpredictable malicious strings into the address bar and pressing enter.
3. Any queries to a database should be done using parameter queries and all user input should be sanitised.

If you want the best response to a question, please check out FAQ222-2244 first.
'If we're supposed to work in Hex, why have we only got A fingers?'
Drive a Steam Roller

 

[PSchubert]

You're right, of course, and I have done 1 and 3. This post is an attempt to augment those precautions, especially as pertaining to 2. May be I am trying to do something that isn't possible...I guess there's a first time for everything.

 

[guitarzan]

May be I am trying to do something that isn't possible

No, it's very possible to do that, and johnwm showed you exactly how (and according to your post, you are already doing it as well).

I'd like to capture what the user has entered in the address/location bar before it is executed on the server

It is your code that executes anything on the server, so before your code executes anything, you should examine the query strings and user input, and sanatize it... only if the values are what you expect in the given context do you continue to execute your other code.

Is there a particular weakness in your code that you spotted?

 

[PSchubert]

Thanks for responding, guitrzan. Ultimately what I'm trying to do is protect my asp code from being viewed. I'm aware of the old ::$DATA bug, whereby a user could view the code simply by appending "::$DATA" to the URL. While this is now a non-issue, what if in the future a different method is discovered that similarly uses URL manipulation? This is what I'm trying to be proactive about preventing. Any thoughts?

 

[guitarzan]

I am not familiar with the bug you are referring to. Do you have a link explaining it?

 

[MakeItSo]

Interesting!

Here guitarzan, I found this:

http://www.iss.net/security_center/reference/vuln/iis-asp-data-check.htm

Was obviously quite a bug indeed!

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell