RE: ASP security in HTML pages

["Auri Rahimzadeh" <auri () auri net>]

Although, to be sure, if you don't have your server configured properly,
i.e. where ASP may be configured improperly, you can serve .asp files just
as if someone requested a .zip file -- it would send the whole file. The
easiest way to tell is when you try hitting an .asp file if IE renders a
page, or just asks you to download the document. I imagine this would be
rare in an IIS configuration, but if you're using something else then it may
be a situation more possible to encounter.

Best,

-Auri

: -----Original Message-----
: From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com]
: Sent: Tuesday, June 22, 2004 1:21 PM
: To: Bénoni MARTIN; security-basics () securityfocus com;
: webappsec () securityfocus com
: Subject: RE: ASP security in HTML pages
: 
: Benoni,
:    Actually, neither of those are correct:
: 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it
: is, then perhaps you're saving it as an .HTML file. You should save it as
: a .ASP file instead.
: 
: 2. DLLs called from ASP are NOT accessible in general, unless you mis-
: configure your server. DLLs on the server should not be stored in the same
: directory as your files, obviously.
: 
: 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side
: scripting
: Languages) is to run code that the user on the other end does not see.
: That's why people use them. If it doesn't appear to be working, you
: probably have it mis-configured.
: 
: Mike
: 
: Michael Scovetta
: Computer Associates
: Senior Application Developer
: tel: +1 631 342 3139
: cell: +1 813 727 5772
: michael.scovetta () ca com
: 
: 
: > -----Original Message-----
: > From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
: > Sent: Tuesday, June 22, 2004 7:42 AM
: > To: security-basics () securityfocus com; webappsec () securityfocus com
: > Subject: ASP security in HTML pages
: >
: > Hi list,
: >
: > I have been googling around to know how secure can be ASP code, and I
: > found what follows:
: > - For a newbee, impossible to get the asp scripts inserted in an HTML
: page
: > as they are not displayed in the client's browser,
: > - Instead of just letting the ASP code in the HTML pages, we can create
: > some DLLs for example, but a not-to-bad skilled hacker can get and
: reverse
: > them.
: >
: > So, my question to you, skilled-people :) is: is there a way to get the
: > asp scripts in a page the server does not send when a client's request
: > arrives? There should be a way to ^perform that, but how tough is it?
: >
: > Thanks in advance, folks!
: >
: >
: 



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------