RE: ASP security in HTML pages

[Harrison Gladden <linuxguru80 () yahoo com>]

The replies still stand.  The only way the unprocessed
asp page will make it to the client is if there is a
"fatal" flaw/misconfiguration of the IIS server. 
Otherwise all request for the file via the http web
server will be processed by the asp dll engine. 
However if you request the file via ftp or something
of the sort then yes you will get the unprocesses code
back from the server.

~Harrison
--- Bénoni_MARTIN <Benoni.MARTIN () libertis ga> wrote:
> Well, it seems I have not been very shape in my last
> posting. I know ASP code is executed on the server's
> side, and not in the client's browser (it will just
> receive the results of the scriting).
>
> But if a client requests "toto.asp", despite of if
> it will receive the "toto.asp" WITHOUT the ASP
> scripts, the server has a "full toto.asp" WITH the
> asp scripts. So my question was: as the server has
> in his directory this "full toto.asp", is there a
> way to get the "full toto.asp" from the server? 
>
>
>
> -----Message d'origine-----
> De : Wolf, Yonah [mailto:Yonah.Wolf () ujc org] 
> Envoyé : mercredi 23 juin 2004 14:37
> À : Bénoni MARTIN;
> security-basics () securityfocus com;
> webappsec () securityfocus com
> Objet : RE: ASP security in HTML pages
>
> Martin,
>
>  I am not quite sure what you are asking? 
>
>       Are you asking about 'Classic' asp? Classic ASP
> code is intertwined with HTML in a .ASP file. It is
> executed server side. The end user cannot 'see' the
> ASP code, even if they look at the source because
> the code is executed at run time and never sent to
> the browser. So long as your server and the original
> code is secure then end users can't see the code.
>
>       Are you talking about client-side
> VBScript/JavaScript that runs in the browser? If so,
> it is very hard to hide that from the browser
> because the browser needs to be able to read it to
> execute the code.
>
>       Or, are you talking about an ASP application that
> you plan on selling/deploying and putting on a
> clients' server. And not wanting them to get access
> to the code? If this is the case, and you are using
> ASP.NET you can use the code obfuscator to blur the
> code. If you're using classic ASP, I believe you are
> S.O.O.L.
>
> HTH,
> --Yonah
>
> -----Original Message-----
> From: Bénoni MARTIN
> [mailto:Benoni.MARTIN () libertis ga]
> Sent: Tuesday, June 22, 2004 7:42 AM
> To: security-basics () securityfocus com;
> webappsec () securityfocus com
> Subject: ASP security in HTML pages
>
>
> Hi list,
>
> I have been googling around to know how secure can
> be ASP code, and I found what follows:
> - For a newbee, impossible to get the asp scripts
> inserted in an HTML page as they are not displayed
> in the client's browser,
> - Instead of just letting the ASP code in the HTML
> pages, we can create some DLLs for example, but a
> not-to-bad skilled hacker can get and reverse them.
>
> So, my question to you, skilled-people :) is: is
> there a way to get the asp scripts in a page the
> server does not send when a client's request
> arrives? There should be a way to ^perform that, but
> how tough is it?
>
> Thanks in advance, folks!
---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off 
> any course! All of our class sizes are guaranteed to
> be 10 students or less 
> to facilitate one-on-one interaction with one of our
> expert instructors. 
> Attend a course taught by an expert instructor with
> years of in-the-field 
> pen testing experience in our state of the art
> hacking lab. Master the skills 
> of an Ethical Hacker to better assess the security
> of your organization. 
> Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
----------------------------------------------------------------------------
>
---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention
> this ad and get $545 off
> any course! All of our class sizes are guaranteed to
> be 10 students or less
> to facilitate one-on-one interaction with one of our
> expert instructors.
> Attend a course taught by an expert instructor with
> years of in-the-field
> pen testing experience in our state of the art
> hacking lab. Master the skills
> of an Ethical Hacker to better assess the security
> of your organization.
> Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
>
----------------------------------------------------------------------------
>


=====
_____________________________________
Harrison Gladden <linuxugur80 () yahoo com>
Tel:(515)708-1065

**Shoot for the moon.
Even if you miss, you'll land among the stars.**


                
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail