WebApp Sec mailing list archives

RE: Prevent security bypass

From: Kim Christiansen <kcn () carlbro com>
Date: Wed, 5 Feb 2003 09:43:29 +0100

Hi,

Reading the suggested solutions I would say the less drastic (but maybe not
the most secure) solution is to convert/rename your HTML pages to ASP.
Actually the only thing needed is renaming the documents and apply your
authentication script.

Performance should not be an issue (at least nothing that matters) here
since IIS compiles the ASP pages and only recompiles when the files are
changed, the "html" pages would not be recompiles that often.

extract from msdn:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++
Improved Performance for HTML Files Saved as .ASP
Prior to IIS 5.0, saving HTML pages with an .asp extension would have
performance costs regardless of whether the HTML pages contained script. For
this reason, HTML pages without any ASP code would not be saved with an .asp
extension. Now, in IIS 5.0, .asp files that do not contain ASP code are
processed nearly as fast as if they were saved with .htm or .html
extensions. This is really an administrative benefit that allows you to save
all of your HTML pages with an .asp extension, preventing the need to
redirect should you later add ASP code to your pages
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
++++

-Kim


 --- Chris Neil <Chris.Neil () abs-ltd com> escribió: > I
am new to this mailing list and so hope this

conforms to the guidelines as
I read them.

How do people address the issue of non-authenticated
users requesting html
pages directly from a site without logging in?

FYI. This is an IIS server. Our asp pages check the
user is logged in, but
with html pages we cannot.
My only idea so far is to convert all our html pages
to asp. Is there
anything less drastic?


Chris Neil
  Security Officer
  Chris.Neil () abs-ltd com
-------------------------------------------
ABS 
  Tel:     +44 (0) 1993 771221
  Fax:    +44 (0) 1993 775081
-------------------------------------------


=====


_________________________________________________________
Do You Yahoo!?
Información de Estados Unidos y América Latina, en Yahoo! Noticias.
Visítanos en http://noticias.espanol.yahoo.com

Current thread:

Re: Prevent security bypass, (continued)
- - Re: Prevent security bypass Adrian Wiesmann (Feb 04)
- Re: Prevent security bypass sunzi (Feb 07)
  - Re: Prevent security bypass Ernie Nelson (Feb 07)
    - HTTP Header and POST Data Exploitation Rahul Chander Kashyap (Feb 08)
    - RE: HTTP Header and POST Data Exploitation Indian Tiger (Feb 09)
- Re: Prevent security bypass Ken Rachynski (Feb 04)
- RE: Prevent security bypass David Cameron (Feb 04)
  - RE: Prevent security bypass Vinny Bedus (Feb 05)
    - Re: Prevent security bypass Chris Travers (Feb 05)
- RE: Prevent security bypass Logan F.D. Greenlee (Feb 05)
- RE: Prevent security bypass Kim Christiansen (Feb 05)
- RE: Prevent security bypass Mark Mcdonald (Feb 05)
  - Re[2]: Prevent security bypass M. Austin Hill (Feb 05)
  - RE: Prevent security bypass TUER, DON (Feb 06)
    - Re: Prevent security bypass Alex Russell (Feb 06)
    - Re: Prevent security bypass Adrian Wiesmann (Feb 06)
    - Re: Prevent security bypass Chris Travers (Feb 07)
- RE: Prevent security bypass David Mowers (Feb 07)
- Re: Prevent security bypass Scott Mulcahy (Feb 12)