Home page logo
/

webappsec logo WebApp Sec mailing list archives

RE: ASP security in HTML pages
From: "Scovetta, Michael V" <Michael.Scovetta () ca com>
Date: Mon, 28 Jun 2004 14:00:32 -0400

All--

Also note that the "ShowCode.asp" exploit was relevant only on IIS 4.0 (NT 4.0). It's only an exploit because it was 
included by default and people didn't delete the samples (bad practice in and of itself). Additionally, anyone could 
write a script to send an arbitrary file to the browser.

M

Michael Scovetta
Computer Associates
Senior Application Developer
tel: +1 631 342 3139
cell: +1 813 727 5772
michael.scovetta () ca com
-----Original Message-----
From: Calderon, Juan Carlos (GE Commercial Finance, NonGE)
[mailto:juan.calderon () ge com]
Sent: Monday, June 28, 2004 11:22 AM
To: Bénoni MARTIN; Wolf, Yonah; security-basics () securityfocus com;
webappsec () securityfocus com
Subject: RE: ASP security in HTML pages

Hi!

From my point of view the easiest way is to use the "frendly" pages to
show code like ShowCode.asp page at IIS samples.

(Background)
http://support.microsoft.com/default.aspx?scid=kb;en-us;232449

(Exploit)
http://www.atstake.com/research/advisories/1999/showcode.txt

(Both)
http://www.securityfocus.com/infocus/1317

Cheers
JC

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Thursday, June 24, 2004 4:11 AM
To: Wolf, Yonah; security-basics () securityfocus com;
webappsec () securityfocus com
Subject: RE: ASP security in HTML pages


Well, it seems I have not been very shape in my last posting. I know ASP
code is executed on the server's side, and not in the client's browser (it
will just receive the results of the scriting).

But if a client requests "toto.asp", despite of if it will receive the
"toto.asp" WITHOUT the ASP scripts, the server has a "full toto.asp" WITH
the asp scripts. So my question was: as the server has in his directory
this "full toto.asp", is there a way to get the "full toto.asp" from the
server?



-----Message d'origine-----
De : Wolf, Yonah [mailto:Yonah.Wolf () ujc org]
Envoyé : mercredi 23 juin 2004 14:37
À : Bénoni MARTIN; security-basics () securityfocus com;
webappsec () securityfocus com
Objet : RE: ASP security in HTML pages

Martin,

 I am not quite sure what you are asking?

      Are you asking about 'Classic' asp? Classic ASP code is intertwined
with HTML in a .ASP file. It is executed server side. The end user cannot
'see' the ASP code, even if they look at the source because the code is
executed at run time and never sent to the browser. So long as your server
and the original code is secure then end users can't see the code.

      Are you talking about client-side VBScript/JavaScript that runs in
the browser? If so, it is very hard to hide that from the browser because
the browser needs to be able to read it to execute the code.

      Or, are you talking about an ASP application that you plan on
selling/deploying and putting on a clients' server. And not wanting them
to get access to the code? If this is the case, and you are using ASP.NET
you can use the code obfuscator to blur the code. If you're using classic
ASP, I believe you are S.O.O.L.

HTH,
--Yonah

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Tuesday, June 22, 2004 7:42 AM
To: security-basics () securityfocus com; webappsec () securityfocus com
Subject: ASP security in HTML pages


Hi list,

I have been googling around to know how secure can be ASP code, and I
found what follows:
- For a newbee, impossible to get the asp scripts inserted in an HTML page
as they are not displayed in the client's browser,
- Instead of just letting the ASP code in the HTML pages, we can create
some DLLs for example, but a not-to-bad skilled hacker can get and reverse
them.

So, my question to you, skilled-people :) is: is there a way to get the
asp scripts in a page the server does not send when a client's request
arrives? There should be a way to ^perform that, but how tough is it?

Thanks in advance, folks!


--------------------------------------------------------------------------
-
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or
less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the
skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
--------------------------------------------------------------------------
--







  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]