Thanks for the great power of Twitter and TweetDeck, yesterday I was pointed to a terrifying bug in Request.QueryString method in the standard Classic ASP installation. THIS BUG DOES NOT EXISTS IN MY AXE FRAMEWORK (see the tests in the end).

Only God knows why for some mystical reason and under certain conditions Request.QueryString method do some automatic homoglyph (like α→a, τ→t) and homophone (like π→p) transformations in the incoming Unicode (UTF-16) QueryString helping unoccupied folks to XSS and SQLI your beloved application. Basically this stupid transformation implies that there are a lot of potential Unicode characters that can be used as '<' and ''' making the life of exploiters easier. For more information about this bug, read NoScript New Bypass Method by Unicode in ASP and Lost in Translation (ASP’s HomoXSSuality).

Since Microsoft isn't very active in supporting ASP nowadays, I've no clue if they will move a finger to fix this (usually they still release security patches). So I'm giving you Classic ASP developers the chance and the knowledge to fix this issue. Create a file named base.asp in your project and put the following code inside:

function AXE_GET(k) {
    var v = "",
        q = Request.ServerVariables("QUERY_STRING");
    try {
        v = decodeURIComponent(q);
        v = Request.QueryString(k);
    } catch(Ex) {
        var c = String(q).split('&'),
            j = k + '=';
        for(var i = 0, len = c.length; i < len; i++) {
            if( c[i].indexOf(j) === 0 ) {
                v = c[i].substring(j.length);
    return v;

Add this file to your application library (hope you made a request mapper):

<script runat="server" language="javascript" src="/lib/axe/base.asp"></script>

And replace all your Request.QueryString calls to AXE_GET:

dim name : name = Request.QueryString("name")' from this
dim name : name = AXE_GET("name")' to this

That's it, you are safer than before :D