Code Evaluation (ASP)
Description
This vulnerability occurs when user-controlled input is passed directly into ASP evaluation functions (such as eval() or Execute()) without proper validation or sanitization. When exploited, attackers can inject and execute arbitrary ASP code on the server, effectively gaining the ability to run malicious commands with the privileges of the web application. This is a critical server-side code injection vulnerability that can lead to complete system compromise.
Remediation
Eliminate the use of dynamic code evaluation functions whenever possible. Follow these remediation steps:
1. Remove eval() and Execute() functions - Refactor code to avoid dynamic evaluation entirely. Use alternative approaches such as conditional statements, lookup tables, or predefined function calls.
2. If evaluation is absolutely necessary, implement strict input validation:
• Use allowlists to permit only specific, predefined values • Reject any input containing special characters or code syntax • Validate input against a strict pattern (e.g., alphanumeric only)
3. Example of unsafe code to avoid:
userInput = Request.QueryString("calc")
Execute(userInput) ' UNSAFE - allows arbitrary code execution4. Example of safer alternative using conditional logic:
userInput = Request.QueryString("operation")
Select Case userInput
Case "add"
result = value1 + value2
Case "subtract"
result = value1 - value2
Case Else
' Reject invalid input
Response.Write "Invalid operation"
End Select5. Apply defense in depth - Run the application with minimal privileges and implement additional security controls such as Web Application Firewalls (WAF) to detect injection attempts.