mailing list archives
RE: ASP security in HTML pages
From: "Auri Rahimzadeh" <auri () auri net>
Date: Thu, 24 Jun 2004 16:04:25 -0500
Although, to be sure, if you don't have your server configured properly,
i.e. where ASP may be configured improperly, you can serve .asp files just
as if someone requested a .zip file -- it would send the whole file. The
easiest way to tell is when you try hitting an .asp file if IE renders a
page, or just asks you to download the document. I imagine this would be
rare in an IIS configuration, but if you're using something else then it may
be a situation more possible to encounter.
: -----Original Message-----
: From: Scovetta, Michael V [mailto:Michael.Scovetta () ca com]
: Sent: Tuesday, June 22, 2004 1:21 PM
: To: Bénoni MARTIN; security-basics () securityfocus com;
: webappsec () securityfocus com
: Subject: RE: ASP security in HTML pages
: Actually, neither of those are correct:
: 1. ASP code <% stuff in here %> is NOT transmitted to the client. If it
: is, then perhaps you're saving it as an .HTML file. You should save it as
: a .ASP file instead.
: 2. DLLs called from ASP are NOT accessible in general, unless you mis-
: configure your server. DLLs on the server should not be stored in the same
: directory as your files, obviously.
: 3. The point of using ASP/JSP/Perl/CGI/etc (any of the server-side
: Languages) is to run code that the user on the other end does not see.
: That's why people use them. If it doesn't appear to be working, you
: probably have it mis-configured.
: Michael Scovetta
: Computer Associates
: Senior Application Developer
: tel: +1 631 342 3139
: cell: +1 813 727 5772
: michael.scovetta () ca com
: > -----Original Message-----
: > From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
: > Sent: Tuesday, June 22, 2004 7:42 AM
: > To: security-basics () securityfocus com; webappsec () securityfocus com
: > Subject: ASP security in HTML pages
: > Hi list,
: > I have been googling around to know how secure can be ASP code, and I
: > found what follows:
: > - For a newbee, impossible to get the asp scripts inserted in an HTML
: > as they are not displayed in the client's browser,
: > - Instead of just letting the ASP code in the HTML pages, we can create
: > some DLLs for example, but a not-to-bad skilled hacker can get and
: > them.
: > So, my question to you, skilled-people :) is: is there a way to get the
: > asp scripts in a page the server does not send when a client's request
: > arrives? There should be a way to ^perform that, but how tough is it?
: > Thanks in advance, folks!