Security Basics mailing list archives

Re: ASP security in HTML pages

From: Nasir Ghaznavi <nasirghaznavi () gmail com>
Date: Wed, 23 Jun 2004 05:20:26 +0500

On Tue, 22 Jun 2004 12:42:02 +0100, Bénoni MARTIN
<benoni.martin () libertis ga> wrote:


Hi list,

I have been googling around to know how secure can be ASP code, and I found what follows:
- For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's 
browser,


You dont Insert ASP in HTML page, you do the opposite, i.e., you
include the HTML code inside ASP page. The ASP part is never sent to
the browser, it is processed on the server, so its secure if you code
securely and server permissions are properly setup.

- Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad 
skilled hacker can get and reverse them.

If the DLL is executing on the server then i dont know how can a
hacker get them, if they are propoerly placed and security permissions
are setup correctly, btw you have to use some scripting language to
call the dll.

So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not 
send when a client's request arrives? There should be a way to ^perform that, but how tough is it?


The server never sends the ASP code to the client if it is properly configured.


Thanks in advance, folks!


Nasir Ghaznavi

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

ASP security in HTML pages Bénoni MARTIN (Jun 22)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- Re: ASP security in HTML pages Nasir Ghaznavi (Jun 23)
- Re: ASP security in HTML pages Mike (Jun 23)
- <Possible follow-ups>
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 23)
  - RE: ASP security in HTML pages Auri Rahimzadeh (Jun 25)
    - Re: ASP security in HTML pages Matt Fisher (Jun 25)
- RE: ASP security in HTML pages Bénoni MARTIN (Jun 24)
  - RE: ASP security in HTML pages Harrison Gladden (Jun 25)
    - RE: ASP security in HTML pages Steve McCullough (Jun 25)
    - RE: ASP security in HTML pages Dinis Cruz (Jun 29)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 28)

(Thread continues...)