RE: ASP security in HTML pages

From: Calderon, Juan Carlos (GE Commercial Finance, NonGE) (juan.calderon_at_ge.com)
Date: 06/28/04

  • Next message: Robert McIntyre: "RE: antivirus for Linux" 
    Date: Mon, 28 Jun 2004 14:08:12 -0400
To: "Scovetta, Michael V" <Michael.Scovetta@ca.com>, Bénoni MARTIN <Benoni.MARTIN@libertis.ga>, "Wolf, Yonah" <Yonah.Wolf@ujc.org>, <security-basics@securityfocus.com>, <webappsec@securityfocus.com>

    you are right!

    I forgot that, well thanks

    Regards

    -----Original Message-----
    From: Scovetta, Michael V [mailto:Michael.Scovetta@ca.com]
    Sent: Monday, June 28, 2004 1:01 PM
    To: Calderon, Juan Carlos (GE Commercial Finance, NonGE); Bénoni MARTIN;
    Wolf, Yonah; security-basics@securityfocus.com;
    webappsec@securityfocus.com
    Subject: RE: ASP security in HTML pages

    All--

    Also note that the "ShowCode.asp" exploit was relevant only on IIS 4.0 (NT 4.0). It's only an exploit because it was included by default and people didn't delete the samples (bad practice in and of itself). Additionally, anyone could write a script to send an arbitrary file to the browser.

    M

    Michael Scovetta
    Computer Associates
    Senior Application Developer
    tel: +1 631 342 3139
    cell: +1 813 727 5772
    michael.scovetta@ca.com
    > -----Original Message-----
    > From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
    > [mailto:juan.calderon@ge.com]
    > Sent: Monday, June 28, 2004 11:22 AM
    > To: Bénoni MARTIN; Wolf, Yonah; security-basics@securityfocus.com;
    > webappsec@securityfocus.com
    > Subject: RE: ASP security in HTML pages
    >
    > Hi!
    >
    > From my point of view the easiest way is to use the "frendly" pages to
    > show code like ShowCode.asp page at IIS samples.
    >
    > (Background)
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;232449
    >
    > (Exploit)
    > http://www.atstake.com/research/advisories/1999/showcode.txt
    >
    > (Both)
    > http://www.securityfocus.com/infocus/1317
    >
    > Cheers
    > JC
    >
    > -----Original Message-----
    > From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
    > Sent: Thursday, June 24, 2004 4:11 AM
    > To: Wolf, Yonah; security-basics@securityfocus.com;
    > webappsec@securityfocus.com
    > Subject: RE: ASP security in HTML pages
    >
    >
    > Well, it seems I have not been very shape in my last posting. I know ASP
    > code is executed on the server's side, and not in the client's browser (it
    > will just receive the results of the scriting).
    >
    > But if a client requests "toto.asp", despite of if it will receive the
    > "toto.asp" WITHOUT the ASP scripts, the server has a "full toto.asp" WITH
    > the asp scripts. So my question was: as the server has in his directory
    > this "full toto.asp", is there a way to get the "full toto.asp" from the
    > server?
    >
    >
    >
    > -----Message d'origine-----
    > De : Wolf, Yonah [mailto:Yonah.Wolf@ujc.org]
    > Envoyé : mercredi 23 juin 2004 14:37
    > À : Bénoni MARTIN; security-basics@securityfocus.com;
    > webappsec@securityfocus.com
    > Objet : RE: ASP security in HTML pages
    >
    > Martin,
    >
    > I am not quite sure what you are asking?
    >
    > Are you asking about 'Classic' asp? Classic ASP code is intertwined
    > with HTML in a .ASP file. It is executed server side. The end user cannot
    > 'see' the ASP code, even if they look at the source because the code is
    > executed at run time and never sent to the browser. So long as your server
    > and the original code is secure then end users can't see the code.
    >
    > Are you talking about client-side VBScript/JavaScript that runs in
    > the browser? If so, it is very hard to hide that from the browser because
    > the browser needs to be able to read it to execute the code.
    >
    > Or, are you talking about an ASP application that you plan on
    > selling/deploying and putting on a clients' server. And not wanting them
    > to get access to the code? If this is the case, and you are using ASP.NET
    > you can use the code obfuscator to blur the code. If you're using classic
    > ASP, I believe you are S.O.O.L.
    >
    > HTH,
    > --Yonah
    >
    > -----Original Message-----
    > From: Bénoni MARTIN [mailto:Benoni.MARTIN@libertis.ga]
    > Sent: Tuesday, June 22, 2004 7:42 AM
    > To: security-basics@securityfocus.com; webappsec@securityfocus.com
    > Subject: ASP security in HTML pages
    >
    >
    > Hi list,
    >
    > I have been googling around to know how secure can be ASP code, and I
    > found what follows:
    > - For a newbee, impossible to get the asp scripts inserted in an HTML page
    > as they are not displayed in the client's browser,
    > - Instead of just letting the ASP code in the HTML pages, we can create
    > some DLLs for example, but a not-to-bad skilled hacker can get and reverse
    > them.
    >
    > So, my question to you, skilled-people :) is: is there a way to get the
    > asp scripts in a page the server does not send when a client's request
    > arrives? There should be a way to ^perform that, but how tough is it?
    >
    > Thanks in advance, folks!
    >
    >
    > --------------------------------------------------------------------------
    > -
    > Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    > any course! All of our class sizes are guaranteed to be 10 students or
    > less
    > to facilitate one-on-one interaction with one of our expert instructors.
    > Attend a course taught by an expert instructor with years of in-the-field
    > pen testing experience in our state of the art hacking lab. Master the
    > skills
    > of an Ethical Hacker to better assess the security of your organization.
    > Visit us at:
    > http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    > --------------------------------------------------------------------------
    > --
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: Robert McIntyre: "RE: antivirus for Linux"

    Relevant Pages

    • Re: Desperate Help Needed
      ... hundred K of output HTML. ... The queries take no time at all to execute, it is the sending the data to ... ASP for years with big pages. ... > basically buffers all the output on the server and then send it in one go. ...
      (microsoft.public.inetserver.iis)
    • Re: Treeviews
      ... On one side there is ASP, PHP, JSP. ... > server side code that executes to extract data base stuff. ... > html in ways that make then inseparable. ... You CAN intermingle client side ...
      (comp.lang.cobol)
    • Re: asp problem in IIS5.1
      ... > I have windows XP with IIS 5.1. ... > with HTML Pages.but it is not working with ASP pages. ... > Server Application Error ...
      (microsoft.public.inetserver.asp.components)
    • Re: WINXP PRO IIS runs HTML pages but NOT ASP pages
      ... Sonny wrote: ... > Server Application Error ... >>>> I can navigate to any html page on my site but it doesn't seem to ... >>>> any asp page at all. ...
      (microsoft.public.inetserver.iis)
    • Re: Web server ignoring ASP
      ... server-side script doesn't) all have the ".asp" extension. ... >>say that I know I should be addressing this with my ISP, ... >>web server that they claim supports ASP, ... >>only display the embedded HTML, ...
      (microsoft.public.inetserver.iis)