RE: ASP security in HTML pages
From: Steve McCullough (website_at_showmethesmut.com)
Date: 06/25/04
- Previous message: Auri Rahimzadeh: "RE: ASP security in HTML pages"
- Maybe in reply to: Bénoni MARTIN: "ASP security in HTML pages"
- Next in thread: Dinis Cruz: "RE: ASP security in HTML pages"
- Reply: Dinis Cruz: "RE: ASP security in HTML pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <security-basics@securityfocus.com>, <webappsec@securityfocus.com> Date: Fri, 25 Jun 2004 09:29:46 -0300
Hi all,
I'd like to point out that there have been plenty of ways to get IIS to
reveal ASP source code. Some examples:
http://www.securityfocus.com/bid/2909/info/
http://www.microsoft.com/technet/security/bulletin/MS01-004.mspx
http://www.netscreen.com/services/security/di_resource_center/threat_definit
ions.jsp?id=91
As _Hacking Web Applications Exposed_ puts it: "With the track record that
IIS has had in the source disclosure department, it's never a good idea to
assume that someone won't be able to view your source code" (55).
It's sometimes suggested that scripters wrap database connection strings,
encryption keys, and other sensitive information in COM objects to keep them
private. Are there alternatives? What sorts of strategies do people use to
keep their script contents confidential?
Steve
-----
Steve McCullough
Web designer
> www.venusenvy.ca
> www.showmethesmut.com
-----Original Message-----
From: Harrison Gladden [mailto:linuxguru80@yahoo.com]
Sent: Thursday, June 24, 2004 6:51 PM
To: Binoni_MARTIN
Cc: security-basics@securityfocus.com; webappsec@securityfocus.com
Subject: RE: ASP security in HTML pages
The replies still stand. The only way the unprocessed
asp page will make it to the client is if there is a
"fatal" flaw/misconfiguration of the IIS server.
Otherwise all request for the file via the http web
server will be processed by the asp dll engine.
However if you request the file via ftp or something
of the sort then yes you will get the unprocesses code
back from the server.
~Harrison
--- Binoni_MARTIN <Benoni.MARTIN@libertis.ga> wrote:
> Well, it seems I have not been very shape in my last
> posting. I know ASP code is executed on the server's
> side, and not in the client's browser (it will just
> receive the results of the scriting).
>
> But if a client requests "toto.asp", despite of if
> it will receive the "toto.asp" WITHOUT the ASP
> scripts, the server has a "full toto.asp" WITH the
> asp scripts. So my question was: as the server has
> in his directory this "full toto.asp", is there a
> way to get the "full toto.asp" from the server?
>
>
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
- Previous message: Auri Rahimzadeh: "RE: ASP security in HTML pages"
- Maybe in reply to: Bénoni MARTIN: "ASP security in HTML pages"
- Next in thread: Dinis Cruz: "RE: ASP security in HTML pages"
- Reply: Dinis Cruz: "RE: ASP security in HTML pages"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
