Home page logo
/

webappsec logo WebApp Sec mailing list archives

Re: ASP security in HTML pages
From: Lucas Holt <luke () foolishgames com>
Date: Tue, 22 Jun 2004 18:24:11 -0400


On Jun 22, 2004, at 7:42 AM, Bénoni MARTIN wrote:

Hi list,

I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them.

So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it?

Thanks in advance, folks!


If I am interpreting your question correctly, you want to know if the webserver will spit out the ASP code to the client where others can see it. Under most circumstances no. In order for that to happen, an IIS example must be installed or there must be an exploitable vulnerability in the webserver. Be default, anything in <% %> tags is not sent to the client unless an "error" occurs. If you want to prevent that from happening, there is a radio button in IIS that disables sending errors to the client. In vbscript, you can also use On error resume next to help catch errors. Actually you put HTML inside ASP pages, not the other way around. If you were to put asp code in a file with a .html extension, the webserver would serve the code as part of the page.

As for DLL backends, anything can be reverse engineered. The key to web application development is to implement secure code wherever possible. You must do data validation (input/output) on anything that the client gives you and you must handle errors gracefully to prevent revealing secrets like database passwords or the type of database you use. You must also be careful when accessing databases to prevent SQL injection. I would recommend using stored procedures in your database and the ADODB command object. Microsoft recommended DLL usage for performance increases and code reuse more than for security.

If you take appropriate actions, and your sys admin is decent there shouldn't be an issue. I would recommend following WebAppSec for awhile to get more information.


Lucas Holt
Luke () FoolishGames com
________________________________________________________
FoolishGames.com  (Jewel Fan Site)
JustJournal.com (Free blogging)


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]