WebApp Sec mailing list archives
RE: Prevent security bypass
From: Kim Christiansen <kcn () carlbro com>
Date: Wed, 5 Feb 2003 09:43:29 +0100
Hi, Reading the suggested solutions I would say the less drastic (but maybe not the most secure) solution is to convert/rename your HTML pages to ASP. Actually the only thing needed is renaming the documents and apply your authentication script. Performance should not be an issue (at least nothing that matters) here since IIS compiles the ASP pages and only recompiles when the files are changed, the "html" pages would not be recompiles that often. extract from msdn: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++ Improved Performance for HTML Files Saved as .ASP Prior to IIS 5.0, saving HTML pages with an .asp extension would have performance costs regardless of whether the HTML pages contained script. For this reason, HTML pages without any ASP code would not be saved with an .asp extension. Now, in IIS 5.0, .asp files that do not contain ASP code are processed nearly as fast as if they were saved with .htm or .html extensions. This is really an administrative benefit that allows you to save all of your HTML pages with an .asp extension, preventing the need to redirect should you later add ASP code to your pages ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++ -Kim
--- Chris Neil <Chris.Neil () abs-ltd com> escribió: > I am new to this mailing list and so hope thisconforms to the guidelines as I read them. How do people address the issue of non-authenticated users requesting html pages directly from a site without logging in? FYI. This is an IIS server. Our asp pages check the user is logged in, but with html pages we cannot. My only idea so far is to convert all our html pages to asp. Is there anything less drastic? Chris Neil Security Officer Chris.Neil () abs-ltd com ------------------------------------------- ABS Tel: +44 (0) 1993 771221 Fax: +44 (0) 1993 775081 -------------------------------------------===== _________________________________________________________ Do You Yahoo!? Información de Estados Unidos y América Latina, en Yahoo! Noticias. Visítanos en http://noticias.espanol.yahoo.com
Current thread:
- Re: Prevent security bypass, (continued)
- Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
- RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ernie Nelson (Feb 07)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Vinny Bedus (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
- Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
- RE: Prevent security bypass TUER, DON (Feb 06)
- Re: Prevent security bypass Alex Russell (Feb 06)
- Re: Prevent security bypass Adrian Wiesmann (Feb 06)
- Re: Prevent security bypass Chris Travers (Feb 07)