Security Basics mailing list archives
RE: ASP security in HTML pages
From: "Auri Rahimzadeh" <auri () auri net>
Date: Thu, 24 Jun 2004 16:04:25 -0500
Although, to be sure, if you don't have your server configured properly, i.e. where ASP may be configured improperly, you can serve .asp files just as if someone requested a .zip file -- it would send the whole file. The easiest way to tell is when you try hitting an .asp file if IE renders a page, or just asks you to download the document. I imagine this would be rare in an IIS configuration, but if you're using something else then it may be a situation more possible to encounter. Best, -Auri : -----Original Message----- : From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com] : Sent: Tuesday, June 22, 2004 1:21 PM : To: Bénoni MARTIN; security-basics () securityfocus com; : webappsec () securityfocus com : Subject: RE: ASP security in HTML pages : : Benoni, : Actually, neither of those are correct: : 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it : is, then perhaps you're saving it as an .HTML file. You should save it as : a .ASP file instead. : : 2. DLLs called from ASP are NOT accessible in general, unless you mis- : configure your server. DLLs on the server should not be stored in the same : directory as your files, obviously. : : 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side : scripting : Languages) is to run code that the user on the other end does not see. : That's why people use them. If it doesn't appear to be working, you : probably have it mis-configured. : : Mike : : Michael Scovetta : Computer Associates : Senior Application Developer : tel: +1 631 342 3139 : cell: +1 813 727 5772 : michael.scovetta () ca com : : : > -----Original Message----- : > From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] : > Sent: Tuesday, June 22, 2004 7:42 AM : > To: security-basics () securityfocus com; webappsec () securityfocus com : > Subject: ASP security in HTML pages : > : > Hi list, : > : > I have been googling around to know how secure can be ASP code, and I : > found what follows: : > - For a newbee, impossible to get the asp scripts inserted in an HTML : page : > as they are not displayed in the client's browser, : > - Instead of just letting the ASP code in the HTML pages, we can create : > some DLLs for example, but a not-to-bad skilled hacker can get and : reverse : > them. : > : > So, my question to you, skilled-people :) is: is there a way to get the : > asp scripts in a page the server does not send when a client's request : > arrives? There should be a way to ^perform that, but how tough is it? : > : > Thanks in advance, folks! : > : > : --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- ASP security in HTML pages Bénoni MARTIN (Jun 22)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- Re: ASP security in HTML pages Nasir Ghaznavi (Jun 23)
- Re: ASP security in HTML pages Mike (Jun 23)
- <Possible follow-ups>
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 23)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
- Re: ASP security in HTML pages Matt Fisher (Jun 25)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
- RE: ASP security in HTML pages Bénoni MARTIN (Jun 24)
- RE: ASP security in HTML pages Harrison Gladden (Jun 25)
- RE: ASP security in HTML pages Steve McCullough (Jun 25)
- RE: ASP security in HTML pages Dinis Cruz (Jun 29)
- RE: ASP security in HTML pages Harrison Gladden (Jun 25)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 29)
- RE: ASP security in HTML pages Dinis Cruz (Jun 28)