RE: ASP security in HTML pages

From: Auri Rahimzadeh (auri_at_auri.net)
Date: 06/24/04

  • Next message: Steve McCullough: "RE: ASP security in HTML pages"
    To: "'Scovetta, Michael V'" <Michael.Scovetta@ca.com>, 'Bénoni MARTIN' <Benoni.MARTIN@libertis.ga>, <security-basics@securityfocus.com>, <webappsec@securityfocus.com>
    Date: Thu, 24 Jun 2004 16:04:25 -0500
    
    

    Although, to be sure, if you don't have your server configured properly,
    i.e. where ASP may be configured improperly, you can serve .asp files just
    as if someone requested a .zip file -- it would send the whole file. The
    easiest way to tell is when you try hitting an .asp file if IE renders a
    page, or just asks you to download the document. I imagine this would be
    rare in an IIS configuration, but if you're using something else then it may
    be a situation more possible to encounter.

    Best,

    -Auri

    : -----Original Message-----
    : From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com]
    : Sent: Tuesday, June 22, 2004 1:21 PM
    : To: Bénoni MARTIN; security-basics@securityfocus.com;
    : webappsec@securityfocus.com
    : Subject: RE: ASP security in HTML pages
    :
    : Benoni,
    : Actually, neither of those are correct:
    : 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it
    : is, then perhaps you're saving it as an .HTML file. You should save it as
    : a .ASP file instead.
    :
    : 2. DLLs called from ASP are NOT accessible in general, unless you mis-
    : configure your server. DLLs on the server should not be stored in the same
    : directory as your files, obviously.
    :
    : 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side
    : scripting
    : Languages) is to run code that the user on the other end does not see.
    : That's why people use them. If it doesn't appear to be working, you
    : probably have it mis-configured.
    :
    : Mike
    :
    : Michael Scovetta
    : Computer Associates
    : Senior Application Developer
    : tel: +1 631 342 3139
    : cell: +1 813 727 5772
    : michael.scovetta@ca.com
    :
    :
    : > -----Original Message-----
    : > From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
    : > Sent: Tuesday, June 22, 2004 7:42 AM
    : > To: security-basics@securityfocus.com; webappsec@securityfocus.com
    : > Subject: ASP security in HTML pages
    : >
    : > Hi list,
    : >
    : > I have been googling around to know how secure can be ASP code, and I
    : > found what follows:
    : > - For a newbee, impossible to get the asp scripts inserted in an HTML
    : page
    : > as they are not displayed in the client's browser,
    : > - Instead of just letting the ASP code in the HTML pages, we can create
    : > some DLLs for example, but a not-to-bad skilled hacker can get and
    : reverse
    : > them.
    : >
    : > So, my question to you, skilled-people :) is: is there a way to get the
    : > asp scripts in a page the server does not send when a client's request
    : > arrives? There should be a way to ^perform that, but how tough is it?
    : >
    : > Thanks in advance, folks!
    : >
    : >
    :

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Steve McCullough: "RE: ASP security in HTML pages"

    Relevant Pages

    • Re: Desperate Help Needed
      ... hundred K of output HTML. ... The queries take no time at all to execute, it is the sending the data to ... ASP for years with big pages. ... > basically buffers all the output on the server and then send it in one go. ...
      (microsoft.public.inetserver.iis)
    • Re: Treeviews
      ... On one side there is ASP, PHP, JSP. ... > server side code that executes to extract data base stuff. ... > html in ways that make then inseparable. ... You CAN intermingle client side ...
      (comp.lang.cobol)
    • Re: asp problem in IIS5.1
      ... > I have windows XP with IIS 5.1. ... > with HTML Pages.but it is not working with ASP pages. ... > Server Application Error ...
      (microsoft.public.inetserver.asp.components)
    • Re: WINXP PRO IIS runs HTML pages but NOT ASP pages
      ... Sonny wrote: ... > Server Application Error ... >>>> I can navigate to any html page on my site but it doesn't seem to ... >>>> any asp page at all. ...
      (microsoft.public.inetserver.iis)
    • Re: Web server ignoring ASP
      ... server-side script doesn't) all have the ".asp" extension. ... >>say that I know I should be addressing this with my ISP, ... >>web server that they claim supports ASP, ... >>only display the embedded HTML, ...
      (microsoft.public.inetserver.iis)