Security Basics mailing list archives

RE: ASP security in HTML pages

From: "Wolf, Yonah" <Yonah.Wolf () ujc org>
Date: Wed, 23 Jun 2004 09:36:55 -0400

Martin,

 I am not quite sure what you are asking? 

        Are you asking about 'Classic' asp? Classic ASP code is intertwined with HTML in a .ASP file. It is executed 
server side. The end user cannot 'see' the ASP code, even if they look at the source because the code is executed at 
run time and never sent to the browser. So long as your server and the original code is secure then end users can't see 
the code.

        Are you talking about client-side VBScript/JavaScript that runs in the browser? If so, it is very hard to hide 
that from the browser because the browser needs to be able to read it to execute the code.

        Or, are you talking about an ASP application that you plan on selling/deploying and putting on a clients' 
server. And not wanting them to get access to the code? If this is the case, and you are using ASP.NET you can use the 
code obfuscator to blur the code. If you're using classic ASP, I believe you are S.O.O.L.

HTH,
--Yonah

-----Original Message-----
From: Bénoni MARTIN [mailto:Benoni.MARTIN () libertis ga]
Sent: Tuesday, June 22, 2004 7:42 AM
To: security-basics () securityfocus com; webappsec () securityfocus com
Subject: ASP security in HTML pages


Hi list,

I have been googling around to know how secure can be ASP code, and I found what follows:
- For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's 
browser,
- Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled 
hacker can get and reverse them.

So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send 
when a client's request arrives? There should be a way to ^perform that, but how tough is it?

Thanks in advance, folks!


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

ASP security in HTML pages Bénoni MARTIN (Jun 22)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- Re: ASP security in HTML pages Nasir Ghaznavi (Jun 23)
- Re: ASP security in HTML pages Mike (Jun 23)
- <Possible follow-ups>
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 23)
  - RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
    - Re: ASP security in HTML pages Matt Fisher (Jun 25)
- RE: ASP security in HTML pages Bénoni MARTIN (Jun 24)
  - RE: ASP security in HTML pages Harrison Gladden (Jun 25)
    - RE: ASP security in HTML pages Steve McCullough (Jun 25)
    - RE: ASP security in HTML pages Dinis Cruz (Jun 29)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)

(Thread continues...)