Classic ASP cookie with no name hacking attack causing error 80004005

By · July 31, 2015 · 0 comments

As of July 2015, many of my Classic ASP websites have started logging strange errors, either 80004005 or not reporting any error code at all.

After carefully looking through the HTTP headers for these requests I found a common link: they all had at least one cookie with no name.

It appears that Classic ASP can't handle this and will stop executing your script with an error whenever a cookie with no name exists and you attempt to access the cookies, either by Request.Cookies(), Response.Cookies() or Request().

These requests are obviously some type of attack on the website, and based on forum posts and Q&A website posts I have seen, many other sites have been attacked starting around the same time.

It could possibly be a denial of service attack. By causing these types of errors some websites may eventually stop working due to not closed or destroying certain objects.

Alternately it could be some sort of other attack not specifically for Classic ASP websites using cookie names normally used by common website platforms with values that may be intended to cause issues or gain access.

To avoid this problem I looked at several alternatives but the simplest one for me to implement was to add some code to check whether the cookies could be read and terminate the script if it they couldn't be read, using error trapping. As most of my Classic ASP websites have an "include" file that is used by all scripts this only needed to be added in one place.

On Error Resume Next
Request.Cookies("test")
If Err.Number <> 0 Then Response.End
On Error Goto 0

There are other interesting options including IIS URL rewrite rules and regular expressions. There has been some interesting discussion at forums.iis.net.
Read more...
Classic ASP

Get the latest posts delivered to your inbox.

Comments

There are no comments yet. Be the first to leave a comment!

Leave a Comment

All comments are moderated and rel="nofollow" is in use. Avatars are sourced from gravatar.com – a globally recognised avatar.

Type the numbers from the picture above

About me
John Avis ...mostly about web development and programming, with a little bit of anything else related to the Internet, computers and technology.

profile for John at Stack Overflow, Q&A for professional and enthusiast programmers
Subscribe

Get the latest posts delivered to your inbox. *