Classic ASP security hardening
Reduced SQL injection risk in a business-critical legacy Classic ASP SaaS application by building a pragmatic automated safety net: production request replays executed via a console-hosted emulation layer plus a lightweight unit testing framework.
Role
Senior engineer
Timeframe
2017 (~2 months; exact months unknown)
Outcomes
- Enabled deployment with a clear understanding of the expected failure surface.
- Distinguished intentional injection attempts from legitimate traffic.
- Surfaced pre-existing bad-data bugs that became traceable.
Stack
- Classic ASP (VBScript), Microsoft IIS
- Request replay harness (IIS logs → replay fixtures)
- Console-hosted emulation layer for ASP runtime globals
- Custom `expects`-style unit testing framework
Writeup
Implemented field-aware input filtration rules (e.g., numeric-only/alphanumeric-only) and applied them broadly across sensitive inputs. Used high-fidelity replays of known-good production requests (including bodies) to detect exceptions (intentional content rejections, VBScript errors, and database errors) and iteratively tune strictness to balance security with compatibility.