Application Security Testing: An Integral Part of DevOps
by Paul DeBrino
The Request Object receives the values that the client's browser passed to the server during an HTTP request.
All this data gets passed in the HTTP request (a.k.a Request Object). Whether it was posted via an online form you filled in ..or.. embedded in the URL as name-value pairs, it all ends up in the Request object. How does that happen, you wonder? That's a helpful feature of Microsoft IIS (internet information services), whereas systems/languages such as Unix/Perl must parse/extract that information manually.
To make life a little simpler, the Request Object has several "collections". A collection is just a fancy word for grouping, segregating or classifying all of the information that's being exchanged. For example, input-capable fields on a form that is sent via "method=post" end up in collection "Form", while name-value pairs sent in the URL (or from a form sent via "method=get") end up in collection "QueryString", etc.
- ClientCertificate: The values of fields stored in the client certificate that is sent in the HTTP request.
- Cookies: The values of cookies sent in the HTTP request.
- Form: The values of form elements in the HTTP request body.
- QueryString: The values of variables in the HTTP query string.
- ServerVariables: The values of predetermined server/environment variables.
The syntax is:
All request object variables can be accessed directly by calling Request(variable) without the collection name. In this case, the Web server searches the collections in the following order:
If a variable with the same name exists in more than one collection, the Request object returns the first instance encountered. It is strongly recommended that, when referring to members of the ServerVariables collection, the full name be used. For example, rather than Request("AUTH_USER") use Request.ServerVariables("AUTH_USER").
The following is a script that will display the Request Form collection followed by the ServerVariables collection. Save this script as "view_request.asp". To see it work, code your form to have: ACTION="view_request.asp"
<%@LANGUAGE="VBSCRIPT"%> <% option explicit %> <% ' Written by Paul DeBrino of Infinity Research and Development, Inc. (infinity-rd.com) ' Dumps all name-value pairs from POST action, then follows that with server variables. %> <% ' Sample of how to ensure visitor arriving on SSL secure channel: ' If (Request.ServerVariables("HTTPS") = "off") Then ' Response.Redirect "https://" + Request.ServerVariables("SERVER_NAME") _ ' + Request.ServerVariables("PATH_INFO") ' End If %> <!-- Show greeting using selected server variables --> <FONT SIZE=3> Hello visitor from IP <%= Request.ServerVariables("REMOTE_ADDR") %> <BR>Your browser identified itself as <%= Request.ServerVariables("HTTP_USER_AGENT") %>. <P> <!-- Show all form variables --> <TABLE BORDER=2> <TR> <TD><B>Form Variable</B></TD> <TD><B>Value</B></TD> </TR> <% Dim Item For Each Item In Request.Form %> <TR> <TD><FONT SIZE="-1"><%= Item %></FONT></TD> <TD><FONT SIZE="-1"><%= Request.Form(Item) %> </FONT></TD> </TR> <% Next %> </TABLE> </P><P> <!-- Show all server variables --> <TABLE BORDER=2> <TR> <TD><B>Server Variable</B></TD> <TD><B>Value</B></TD> </TR> <% For Each Item In Request.ServerVariables %> <TR> <TD><FONT SIZE="-1"><%= Item %></FONT></TD> <TD><FONT SIZE="-1"><%= Request.ServerVariables(Item) %> </FONT></TD> </TR> <% Next %> </TABLE> </P> </FONT>
Infinity Research and Development, Inc.
a Web Hosting and Graphic Design Company