|
osdir.com mailing list archive |
|
Subject: Re: ASP security in HTML pages - msg#00115List: security.web-applicationsOn Jun 22, 2004, at 7:42 AM, Bénoni MARTIN wrote: Hi list, I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them. So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it? Thanks in advance, folks! If I am interpreting your question correctly, you want to know if the webserver will spit out the ASP code to the client where others can see it. Under most circumstances no. In order for that to happen, an IIS example must be installed or there must be an exploitable vulnerability in the webserver. Be default, anything in <% %> tags is not sent to the client unless an "error" occurs. If you want to prevent that from happening, there is a radio button in IIS that disables sending errors to the client. In vbscript, you can also use On error resume next to help catch errors. Actually you put HTML inside ASP pages, not the other way around. If you were to put asp code in a file with a .html extension, the webserver would serve the code as part of the page. As for DLL backends, anything can be reverse engineered. The key to web application development is to implement secure code wherever possible. You must do data validation (input/output) on anything that the client gives you and you must handle errors gracefully to prevent revealing secrets like database passwords or the type of database you use. You must also be careful when accessing databases to prevent SQL injection. I would recommend using stored procedures in your database and the ADODB command object. Microsoft recommended DLL usage for performance increases and code reuse more than for security. If you take appropriate actions, and your sys admin is decent there shouldn't be an issue. I would recommend following WebAppSec for awhile to get more information. Lucas Holt Luke@xxxxxxxxxxxxxxxx ________________________________________________________ FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- Thread at a glance:
Previous Message by Date: click to view message previewRe: unable to access web site embeds username & password> I have discovered if I access my intranet that embeds the username and > password, it will not work on workstations have the latest Microsoft > security patches installed. > > http://username:password@webserver/website > > > Does anyone have a solution to this because I still don't know which > security patch that inhibits the access. This change is part of the MS04-004 Cumulative Security Update. You can disable this behavior in the registry. http://support.microsoft.com/default.aspx?scid=kb;en-us;834489 -Kevin Next Message by Date: click to view message previewRE: ASP security in HTML pagesMartin, I am not quite sure what you are asking? Are you asking about 'Classic' asp? Classic ASP code is intertwined with HTML in a .ASP file. It is executed server side. The end user cannot 'see' the ASP code, even if they look at the source because the code is executed at run time and never sent to the browser. So long as your server and the original code is secure then end users can't see the code. Are you talking about client-side VBScript/JavaScript that runs in the browser? If so, it is very hard to hide that from the browser because the browser needs to be able to read it to execute the code. Or, are you talking about an ASP application that you plan on selling/deploying and putting on a clients' server. And not wanting them to get access to the code? If this is the case, and you are using ASP.NET you can use the code obfuscator to blur the code. If you're using classic ASP, I believe you are S.O.O.L. HTH, --Yonah -----Original Message----- From: Bénoni MARTIN [mailto:Benoni.MARTIN@xxxxxxxxxxx] Sent: Tuesday, June 22, 2004 7:42 AM To: security-basics@xxxxxxxxxxxxxxxxx; webappsec@xxxxxxxxxxxxxxxxx Subject: ASP security in HTML pages Hi list, I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them. So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it? Thanks in advance, folks! --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- Previous Message by Thread: click to view message previewASP security in HTML pagesHi list, I have been googling around to know how secure can be ASP code, and I found what follows: - For a newbee, impossible to get the asp scripts inserted in an HTML page as they are not displayed in the client's browser, - Instead of just letting the ASP code in the HTML pages, we can create some DLLs for example, but a not-to-bad skilled hacker can get and reverse them. So, my question to you, skilled-people :) is: is there a way to get the asp scripts in a page the server does not send when a client's request arrives? There should be a way to ^perform that, but how tough is it? Thanks in advance, folks! Next Message by Thread: click to view message previewRe: ASP security in HTML pagesOn Tue, 22 Jun 2004 12:42:02 +0100, Bénoni MARTIN <benoni.martin@xxxxxxxxxxx> wrote: > > Hi list, > > I have been googling around to know how secure can be ASP code, and I found > what follows: > - For a newbee, impossible to get the asp scripts inserted in an HTML page as > they are not displayed in the client's browser, You dont Insert ASP in HTML page, you do the opposite, i.e., you include the HTML code inside ASP page. The ASP part is never sent to the browser, it is processed on the server, so its secure if you code securely and server permissions are properly setup. > - Instead of just letting the ASP code in the HTML pages, we can create some > DLLs for example, but a not-to-bad skilled hacker can get and reverse them. > If the DLL is executing on the server then i dont know how can a hacker get them, if they are propoerly placed and security permissions are setup correctly, btw you have to use some scripting language to call the dll. > So, my question to you, skilled-people :) is: is there a way to get the asp > scripts in a page the server does not send when a client's request arrives? > There should be a way to ^perform that, but how tough is it? The server never sends the ASP code to the client if it is properly configured. > > Thanks in advance, folks! > > Nasir Ghaznavi --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ---------------------------------------------------------------------------- Loading Comments...
|
|
