WebApp Sec mailing list archives
Re: ASP security in HTML pages
From: Lucas Holt <luke () foolishgames com>
Date: Tue, 22 Jun 2004 18:24:11 -0400
On Jun 22, 2004, at 7:42 AM, Bénoni MARTIN wrote:
Hi list,I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them.So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it?Thanks in advance, folks!
If I am interpreting your question correctly, you want to know if the webserver will spit out the ASP code to the client where others can see it. Under most circumstances no. In order for that to happen, an IIS example must be installed or there must be an exploitable vulnerability in the webserver. Be default, anything in <% %> tags is not sent to the client unless an "error" occurs. If you want to prevent that from happening, there is a radio button in IIS that disables sending errors to the client. In vbscript, you can also use On error resume next to help catch errors. Actually you put HTML inside ASP pages, not the other way around. If you were to put asp code in a file with a .html extension, the webserver would serve the code as part of the page.
As for DLL backends, anything can be reverse engineered. The key to web application development is to implement secure code wherever possible. You must do data validation (input/output) on anything that the client gives you and you must handle errors gracefully to prevent revealing secrets like database passwords or the type of database you use. You must also be careful when accessing databases to prevent SQL injection. I would recommend using stored procedures in your database and the ADODB command object. Microsoft recommended DLL usage for performance increases and code reuse more than for security.
If you take appropriate actions, and your sys admin is decent there shouldn't be an issue. I would recommend following WebAppSec for awhile to get more information.
Lucas Holt Luke () FoolishGames com ________________________________________________________ FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging)
Current thread:
- ASP security in HTML pages Bénoni MARTIN (Jun 22)
- Re: ASP security in HTML pages Nasir Ghaznavi (Jun 23)
- Re: ASP security in HTML pages Lucas Holt (Jun 23)
- <Possible follow-ups>
- RE: ASP security in HTML pages Wolf, Yonah (Jun 23)
- RE: ASP security in HTML pages Scovetta, Michael V (Jun 24)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- Re: ASP security in HTML pages Matt Fisher (Jun 26)
- RE: ASP security in HTML pages Auri Rahimzadeh (Jun 24)
- RE: ASP security in HTML pages Bénoni MARTIN (Jun 25)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Steve McCullough (Jun 26)
- RE: ASP security in HTML pages Dinis Cruz (Jun 27)
- RE: ASP security in HTML pages Harrison Gladden (Jun 24)
- RE: ASP security in HTML pages Calderon, Juan Carlos (GE Commercial Finance, NonGE) (Jun 28)
- Re: ASP security in HTML pages Dominic Cleal (Jun 29)