Classic Asp: Cookie corruption issue - cookies

There is an ASP application made to co-exist with other .net web apps. The cookies for the asp page is actually written to the client from an aspx page. So we have something like:
Response.Cookies("Credo")("ID") = "ido sans lum"
sent to the client.
The ASP page receives this cookie, but strangely gives corrupt results:
sID = Request.Cookies("Credo")("ID") ' this gives "idosanslum"
Unfortunately I don't understand why. I checked HTTP_COOKIE server variable in ASP, and even it said something like:
HTTP_COOKIE:...;Credo=ID=ido sans lum&DomainID=5&...;...
So I believe this means the cookie is being sent from the browser correctly, but Request.Cookies("Credo")("ID") is giving me wrong results.
Am I messed up with some configuration or is this a known bug.

There is a KB article on this problem at the Microsoft support site: http://support.microsoft.com/kb/262444
Hope this helps.
Update:
The proposed fix from the article is to encode your cookie content. In Classic ASP I think the following will work:
Response.Cookies("Credo")("ID") = Server.URLEncode("ido sans lum")
Please give it a go and let me know what you find.

Related

Online Web Word Office AddIn, Cannot store Cookies/Session (Chrome, Edge)

I have developed Office.js AddIn for word. Which also supposed to work in online web word. I'm using cookie in my addin which I save using js this way:
document.cookie = "firstrun=" + 1 + "; path=/Addin/";
and then accessing from .Net code behind like this:
HttpCookie cookie = Request.Cookies["firstrun"];
It works perfectly for windows word and also online web word in Mozzila Firefox browser, but doesn't store any values when using online web word in Chrome and MS Edge.
Couldn't really find out what is the difference. Why wouldn't chrome and edge work with addin cookies in this way? Have anyone experienced such a thing?
P.S. I've also noticed that it doesn't store any session values. after this Session["User"] = user; Session["User"] is null in other pages. This also works perfectly in firefox.
Thanks.
Any help will be appreciated

XSS DOM vulnerable

I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).

URL redirect plugin regex input for match and target

I'm panicking a little, so sorry if I haven't explained well enough.
I've dealt with quite the nightmare of a permalink restructuring experience
Old permalink= sitename/archives/postid
desired new= sitename/postname
tried everything it seems. I've even dabbled with /?p=$1 (<-----that nonsense!). But now i'm getting some crazy error when i go to my old permalink structure that reads:
Oops! Google Chrome could not connect to 0.0.37.89
Suggestions:
Try reloading: 0.­0.­37.­89
and this was supposed to be "redirected".
I give up. please help.
sitename= brightontheday.com
I used the redirection plugin to redirect all old URL permalinks (/archives/postID) to the new permalink (/postID/postname)
also, the issue appeared to be due to cashing via cloudfare. It's important to to note that one should put cloudfare in "developer mode" while making site wide changes.

Facebook Like button doesnt show

Im developing a RPG page and our Like Button has dissapeared.
I used the generator to create the code, and tried the diffrent versions there off non of them works.
I also used the LINTER and it shows no errors.
I asked my provider and they can find no error.
The page is http://www.wodgotham.com/ and next to the Facebook homepage link above the twitter link the Like button should be.
I have looked through the code and stared myself blind... I dont know what to do
Suggestions and assistance would be highly appriciated
You're not using the code from the generator - you're trying to load
http://connect.facebook.net/us_US/all.js - us_US is not a valid locale
The Javascript console on my browser shows the error as a 500 error from that URL, which when clicked says /* Not a valid locale. */
I believe Igy is correct. "en_US" would be the valid locale.

How set a website as homepage in IE, Firefox, Chrome and Safari with C++?

Is there a way to set a website like google.com as homepage through C++ or C ? How ?
Not sure what your motive is, but I don't think of this as something I want any code on my system to be setting out from under me. It sounds like the kind of thing adware/malware would do to your grandparents (who wouldn't know how to fix it once it's set). Note the negative comments when the question was asked of how to do it from JavaScript:
How can I set default homepage in FF and Chrome via javascript?
It's better to point people at instructions for doing it themselves. Remind with a banner which says "Make us your homepage!", and link to something along these lines:
http://www.makeuseof.com/tag/how-to-change-your-homepage-in-5-browsers/
If not for the aesthetic reasons, there are technical reasons not to try and write code for it. Each browser stores this information in its own place. In IE's case, there appears to be a registry setting:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
So you'd use calls to the Windows Registry API to query it and set it. But Firefox doesn't save this in the registry, it saves it in something called prefs.js and you'll be looking for:
user_pref("browser.startup.homepage", .... );
Then there's Opera, Safari, Chrome, etc. All told, better to just give people directions and put them in control of their experience!
Imports Microsft.Win32
...
Module Util
Sub SetHomePage(Dim theUrl As String)
Registry.SetValue("HKCU\Software\Microsoft\Internet Explorer\Main", "Start Page", theUrl)
End Sub
End Module
Yes.
Find the way each browser saves its configuration to disk and edit that (*). It may be a file, or records in a database, or some data in a central registry, or some other scheme --- the browser documentation should tell you.
To open/read/write/save/close a file, the C functions declared in the header <stdio.h> may be helpful.
(*) for Firefox it's a file named "prefs.ini" in a directory somewhere under the users home path; there may be more than 1 such file if the user has more than 1 profile.