Fog Creek Software
Discussion Board




Possible to view .ASP pages?

Is it possible to view the code in an ASP page?
(I seem to remember that it is).

I"m working on a web-based "activation key" system.  I was considering having it done in .asp, but I think someone could View the Source.

I assume a CGI script would be more secure?

Mr. Analogy
Thursday, July 22, 2004

huh?

No.

Sassy
Thursday, July 22, 2004

Client side code are, server side code aren't. VBScript that gets interpreted by the client side (the browser) will be visible.

Li-fan Chen
Thursday, July 22, 2004

It used to be possible, but probably isn't on an up-to-date system. The following is from http://philip.greenspun.com/panda/server-programming.html

Fortunately, Microsoft set up Windows/IIS/ASP back in the mid-1990s such that if you were curious to see the source code behind http://foobar.com/yow.asp, you had only to type "http://foobar.com/yow.asp." (note the trailing period) into your browser and the foreign server would deliver the source code right to your desktop. This was a great convenience for people trying to learn ASP; however, it presented something of a security problem for Web publishers, because they would often have their database or system administration passwords in the source code. It seems that Microsoft's intention was not to make public all of its customers' source code and hence they eventually released a security patch to change this behavior. However, a few months later people learned that requesting "http://foobar.com/yow.asp::$DATA" (note the trailing "::$DATA") would also get them the source code.

A nice collection of ASP examples at http://philip.greenspun.com/books/panda/aspharvest/ was harvested in just a couple of hours of surfing one night in July 1998.

as
Thursday, July 22, 2004

You make it sound like Microsoft put the '.' thing in there on purpose when it was obviously a bug that was never intended.

Mr.Fancypants
Friday, July 23, 2004

"You make it sound like Microsoft put the '.' thing in there on purpose when it was obviously a bug that was never intended."

I'm not sure if Philip Greenspun reads this board. Perhaps you should mail him directly with your comments.

as
Friday, July 23, 2004

One thing I would advise is not storing things like passwords and config  in .inc files - if someone types in the address of these, most servers will serve them as plain text... Just stick with .asp
If you want to be classic(ish) use name.inc.asp

Andrew Cherry
Friday, July 23, 2004

Pick up a couple of books on hacking. Read them. They will give you enough ideas to mitigate things like adding ::$DATA to the end of a url and why that worked in the first place (you had read permissions set wrong on the directory, and ::$DATA is the explicit name for the default "stream" in an ntfs file).

Peter
Friday, July 23, 2004

No, you can't view the source of an ASP script over the web, unless the server's badly misconfigured. It runs the script and the output gets sent to the browser, not the source code. What did you think happened, it runs the script and then sends the source code to the browser? what would be the point of running it in that case?

Or maybe you were confusing it with some kind of client-side VBScript thing?

Matt
Friday, July 23, 2004

or as people mention above, there are ways to get the asp pages. they're just supposed to all be disabled.

(these mechanisms are typically used by toos like frontpage.)

mb
Friday, July 23, 2004

your script is only as secure as your server is set up to be.

i don't think there are any nasty bugs with IIS 5 or 6 that will show the source code. IIS 4 did have a bug where you could view the source code, so if you are using Windows NT server then patch it - but you should do that anyway.

Espen Antonsen
Friday, July 23, 2004

*  Recent Topics

*  Fog Creek Home