Here are warnings of a few common security issues that can come up with respect to ASP use. See also the Security section of Asp4Hs:Links for some good pointers.
The Macromedia Security Zone has bulletins and articles on many security issues. Many are obviously ColdFusion-related, but some apply to general server setup, website development and web applications and especially to ASP.
Some Security Best Practice technote articles to note:
Some people use naming conventions such as filename.INC.ASP or IncFileName.ASP to indicate which files are include files. Others use a specific directory for all include files, but use .asp as the file extension.
Here is an email from the NTBUGTRAQ mailing list describing this issue. (here)
Date: Tue, 1 Feb 2000
Sender: Windows NTBugtraq Mailing List NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
From: Graeme Slogrove Graeme@NA.CO.ZA
Subject: Possible security issue with ASP
I have reported this to Microsoft, and they say this is normal behaviour (probably is), but I will rather be safe than sorry :)
Many websites are "hand-edited" by the programmers, especially ASP sites. People using Visual Interdev, HomeSite, and others sometimes save their work directly to the server. The problem arises when the package you are using creates a .BAK file when you save your work.
By simply pointing the browser at one of those BAK files, you can easily view all the script tags in the page, by viewing the source returned. Since it is not processed by the remote server, all tags remain intact.
I picked this up doing work on a development server.
For those people worried about the security of this, there are two solutions
1) Associate .BAK files to the ASP engine to ensure that any tags are removed before sending; or
2) Make sure all .BAK files are deleted every time you've finished your work
Whilst some people might not see this as an issue, others may have reason to fear - on our hosting site we found more than 200 .bak files of ASP code that clients have uploaded.
So, even if you don't do it for yourself, do it for the client ;) Regards,
Graeme Slogrove, BSc (Eng) Elec (Wits)
Director, Systems Development & Value Added Services