WebApp Sec mailing list archives
RE: ASP security in HTML pages
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 22 Jun 2004 14:20:43 -0400
Benoni, Actually, neither of those are correct: 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it is, then perhaps you're saving it as an .HTML file. You should save it as a .ASP file instead. 2. DLLs called from ASP are NOT accessible in general, unless you mis-configure your server. DLLs on the server should not be stored in the same directory as your files, obviously. 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side scripting Languages) is to run code that the user on the other end does not see. That's why people use them. If it doesn't appear to be working, you probably have it mis-configured. Mike Michael Scovetta Computer Associates Senior Application Developer tel: +1 631 342 3139 cell: +1 813 727 5772 michael.scovetta () ca com
-----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga] Sent: Tuesday, June 22, 2004 7:42 AM To: security-basics () securityfocus com; webappsec () securityfocus com Subject: ASP security in HTML pages Hi list, I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them. So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it? Thanks in advance, folks!
Current thread:
- ASP security in HTML pages Bénoni MARTIN (Jun 22)
- Re: ASP security in HTML pages Nasir Ghaznavi (Jun 23)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- <Possible follow-ups>
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 24)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- Re: ASP security in HTML pages Matt Fisher (Jun 26)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- RE: ASP security in HTML pages Bénoni MARTIN (Jun 25)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Steve McCullough (Jun 26)
- RE: ASP security in HTML pages Dinis Cruz (Jun 27)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- Re: ASP security in HTML pages Dominic Cleal (Jun 29)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Dinis Cruz (Jun 28)