Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: ASP security in HTML pages
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Tue, 22 Jun 2004 14:20:43 -0400

Benoni,
   Actually, neither of those are correct:
1. ASP code <% stuff in here %> is NOT transmitted to the client. If it is, then perhaps you're saving it as an .HTML 
file. You should save it as a .ASP file instead.

2. DLLs called from ASP are NOT accessible in general, unless you mis-configure your server. DLLs on the server should 
not be stored in the same directory as your files, obviously.

3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side scripting
Languages) is to run code that the user on the other end does not see. That's why people use them. If it doesn't appear 
to be working, you probably have it mis-configured.

Mike

Michael Scovetta
Computer Associates
Senior Application Developer
tel: +1 631 342 3139
cell: +1 813 727 5772
michael.scovetta () ca com


-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Tuesday, June 22, 2004 7:42 AM
To: security-basics () securityfocus com; webappsec () securityfocus com
Subject: ASP security in HTML pages

Hi list,

I have been googling around to know how secure can be ASP code, and I
found what follows:
- For a newbee, impossible to get the asp scripts inserted in an HTML page
as they are not displayed in the client's browser,
- Instead of just letting the ASP code in the HTML pages, we can create
some DLLs for example, but a not-to-bad skilled hacker can get and reverse
them.

So, my question to you, skilled-people :) is: is there a way to get the
asp scripts in a page the server does not send when a client's request
arrives? There should be a way to ^perform that, but how tough is it?

Thanks in advance, folks!





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]