Re: ASP security in HTML pages

From: Nasir Ghaznavi (nasirghaznavi_at_gmail.com)
Date: 06/23/04

  • Next message: Murad Talukdar: "Re: Windows patch mgmt." 
    Date: Wed, 23 Jun 2004 05:20:26 +0500
To: "Bénoni MARTIN" <benoni.martin@libertis.ga>

    On Tue, 22 Jun 2004 12:42:02 +0100, Bénoni MARTIN
    <benoni.martin@libertis.ga> wrote:
    >
    > Hi list,
    >
    > I have been googling around to know how secure can be ASP code, and I found what follows:
    > - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser,

    You dont Insert ASP in HTML page, you do the opposite, i.e., you
    include the HTML code inside ASP page. The ASP part is never sent to
    the browser, it is processed on the server, so its secure if you code
    securely and server permissions are properly setup.
     
    > - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them.
    >
    If the DLL is executing on the server then i dont know how can a
    hacker get them, if they are propoerly placed and security permissions
    are setup correctly, btw you have to use some scripting language to
    call the dll.
     
    > So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it?

    The server never sends the ASP code to the client if it is properly configured.

    >
    > Thanks in advance, folks!
    >
    >

    Nasir Ghaznavi

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Murad Talukdar: "Re: Windows patch mgmt."

    Relevant Pages

    • Re: Yoohoo!! Learnt C++
      ... Why do you want to access the ASP code for login.asp? ... spring for a real db server for a school web site. ... ASP page, upload it, then access/execute it with your web browser... ...
      (alt.2600)
    • RE: ASP Pages
      ... As others have stated, if the server is configured properly, ASP code will not be presented to the user through normal browsing means. ... Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: Form posting
      ... I am new to ASP and would like to know whether this is the right ... details on a secure server. ... You are sending credit card details in an email? ... but this is going through a secure server..... ...
      (microsoft.public.inetserver.asp.db)
    • Re: Form post not passing data to ASP???
      ... > I have IIS server installed on XP-pro. ... I also have Norton Internet ... > I can run simple ASP programs without any problem. ... Actually, technically speaking, this is a mixture of html and ASP code. ...
      (microsoft.public.inetserver.asp.db)
    • Re: Quick test for ActiveX?
      ... a BLOB object), one functional difference aside from the ActiveX ... "someASPfile" that uses the above ASP code and includes clsupload.asp ... this ASP code to reproduce your symptoms? ... issues regarding classic ASP and IIS 7. ...
      (microsoft.public.inetserver.asp.general)
    Loading