Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: ASP security in HTML pages

RE: ASP security in HTML pages

From: Auri Rahimzadeh <auri_at_auri.net>
Date: Thu, 24 Jun 2004 16:04:25 -0500

Although, to be sure, if you don't have your server configured properly,
i.e. where ASP may be configured improperly, you can serve .asp files just
as if someone requested a .zip file -- it would send the whole file. The
easiest way to tell is when you try hitting an .asp file if IE renders a
page, or just asks you to download the document. I imagine this would be
rare in an IIS configuration, but if you're using something else then it may
be a situation more possible to encounter.

Best,

-Auri

: -----Original Message-----
: From: Scovetta, Michael V [mailto:Michael.Scovetta_at_ca.com]
: Sent: Tuesday, June 22, 2004 1:21 PM
: To: Bénoni MARTIN; security-basics_at_securityfocus.com;
: webappsec_at_securityfocus.com
: Subject: RE: ASP security in HTML pages
:
: Benoni,
: Actually, neither of those are correct:
: 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it
: is, then perhaps you're saving it as an .HTML file. You should save it as
: a .ASP file instead.
:
: 2. DLLs called from ASP are NOT accessible in general, unless you mis-
: configure your server. DLLs on the server should not be stored in the same
: directory as your files, obviously.
:
: 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side
: scripting
: Languages) is to run code that the user on the other end does not see.
: That's why people use them. If it doesn't appear to be working, you
: probably have it mis-configured.
:
: Mike
:
: Michael Scovetta
: Computer Associates
: Senior Application Developer
: tel: +1 631 342 3139
: cell: +1 813 727 5772
: michael.scovetta_at_ca.com
:
:
: > -----Original Message-----
: > From: Bénoni MARTIN [mailto:Benoni.MARTIN_at_libertis.ga]
: > Sent: Tuesday, June 22, 2004 7:42 AM
: > To: security-basics_at_securityfocus.com; webappsec_at_securityfocus.com
: > Subject: ASP security in HTML pages
: >
: > Hi list,
: >
: > I have been googling around to know how secure can be ASP code, and I
: > found what follows:
: > - For a newbee, impossible to get the asp scripts inserted in an HTML
: page
: > as they are not displayed in the client's browser,
: > - Instead of just letting the ASP code in the HTML pages, we can create
: > some DLLs for example, but a not-to-bad skilled hacker can get and
: reverse
: > them.
: >
: > So, my question to you, skilled-people :) is: is there a way to get the
: > asp scripts in a page the server does not send when a client's request
: > arrives? There should be a way to ^perform that, but how tough is it?
: >
: > Thanks in advance, folks!
: >
: >
:
Received on Jun 25 2004

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]