I performed a OWASP-ZAP security test on my classic asp application. It came back with a Format String Vulnerability.
The report says it used ZAP%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s%n%s as the attack for some form input field parameters (e.g. username).
The report suggests to
Rewrite the background program using proper deletion of bad character strings.
What does this actually mean in my case?
Is it in this case enough to replace special characters when using request() - e.g. replace % in request(username)?
Or do I have to delete the bad characters on the client side?
Reference: https://www.owasp.org/index.php/Format_string_attack
It might be a false-positive. I would need to see more of your code and the input that was provided to it that triggered the warning from ZAP.
Taking any security-related action on the client side can never be trusted because client-side validation can be circumvented with minimal know-how. You're left with performing sanitization on the server-side where the functions/subs doing the sanitization cannot be augmented.