如何防止空字节注入从querystring

Nessus漏洞扫描程序是针对遗留代码网站运行的。有很多关于如何防止PHP的空字节注入攻击的建议，但我找不到任何关于用VBScript在经典ASP中修复这个问题的建议。

这是扫描器对我们公共站点的攻击:

http://www.mortgagedataweb.com/mds/marketshare/ParmsV2.asp?Menu=%00<"kzwezl%20>

我试图添加有效性检查的QueryString输入，但我的努力没有工作。关于%00的某些东西导致掩盖了我检查正确值的尝试。下面是一些相关的代码片段:

Function getUserInput(input)    
    Dim newString
    If Len(input) = 0 Then
        getUserInput = ""
        Exit Function
    End If
    newString = input        'this was omitted in original post but was in fact in the code
    newString = Replace(newString, Chr(0), "")  'I thought this would fix it !  
    newString = Replace(newString, "--", "")
    newString = Replace(newString, ";", "")          
    newString = Replace(newString, Chr(34),"'") 
    newString = Replace(newString, "'", "") 
    newString = Replace(newString, "=", "=") 
    newString = Replace(newString, "(", "[") 
    newString = Replace(newString, ")", "]")
    newString = Replace(newString, "'", "''")
    newString = Replace(newString, "<", "[")
    newString = Replace(newString, ">", "]")  
    newString = Replace(newString, "/*", "/") 
    newString = Replace(newString, "*/", "/")
    getUserInput = newString
End Function
implied_Menu = UCase(getUserInput(Request.QueryString("Menu")))  'store Menu value for Fast-Path link
Select Case implied_Menu
    Case "FHA_ZP", "C_ZP", "J_ZP", "F_ZP"
        implied_SQLName = MARKETSHAREZip
    Case "P_ALL", "P_MA", "P_ST", "P_ZP", "P_CT", "P_NATION"
        implied_SQLName = PMIMARKETSHARE
    Case "FHA_ALL_D", "FHA_MA_D", "FHA_ST_D", "FHA_CT_D", "FHA_ZP_D", "FHA_NATION_D"
        implied_SQLName = FHAMARKETSHAREDETAILS
    Case ""
        implied_SQLName = MARKETSHARE
    Case Else
        Response.Write("<h2>Invalid Menu parameter</h2>")
        Response.End
End Select

合适的Menu值是:

• 完全缺失(即Menu=不在QueryString中)
上面Select Case逻辑中勾画的有效值系列的一部分

在我的开发机器上，我可以将%00更改为%0，并将错误标记为Response.Write消息，然后标记为Response.End，但是关于%00的某些内容超出了我检查它的尝试。