Asp4Hs: ASP Security Notes

Here are warnings of a few common security issues that can come up with respect to ASP use. See also the Security section of Asp4Hs:Links for some good pointers.

The Macromedia Security Zone has bulletins and articles on many security issues. Many are obviously ColdFusion-related, but some apply to general server setup, website development and web applications and especially to ASP.

Some Security Best Practice technote articles to note:

• How to Design Secure Web Applications
• Securing File-based Databases (i.e. Access)
• Removing Sample Applications and Online Documentation from Production Servers
• Validating Browser Input

Use of .INC extensions for ASP include files

Description

If you do as many early microsoft documents recommend, and use .INC as the filename extension for files included in other ASP files, your script code may be viewed by anyone who enters the correct URL.

Solution or Workaround

If you name all include files with a .ASP extension, your webserver will attempt to process them rather than just passing them directly to a person attempting to view them. Depending upon the contents, the page shown to the browser will be blank.

Some people use naming conventions such as filename.INC.ASP or IncFileName.ASP to indicate which files are include files. Others use a specific directory for all include files, but use .asp as the file extension.

Viewing of .BAK files on the server

Here is an email from the NTBUGTRAQ mailing list describing this issue. (here)

Date: Tue, 1 Feb 2000
Sender: Windows NTBugtraq Mailing List NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
From: Graeme Slogrove Graeme@NA.CO.ZA
Subject: Possible security issue with ASP

I have reported this to Microsoft, and they say this is normal behaviour (probably is), but I will rather be safe than sorry :)

Many websites are "hand-edited" by the programmers, especially ASP sites. People using Visual Interdev, HomeSite, and others sometimes save their work directly to the server. The problem arises when the package you are using creates a .BAK file when you save your work.

By simply pointing the browser at one of those BAK files, you can easily view all the script tags in the page, by viewing the source returned. Since it is not processed by the remote server, all tags remain intact.

I picked this up doing work on a development server.

For those people worried about the security of this, there are two solutions

1) Associate .BAK files to the ASP engine to ensure that any tags are removed before sending; or

2) Make sure all .BAK files are deleted every time you've finished your work

Whilst some people might not see this as an issue, others may have reason to fear - on our hosting site we found more than 200 .bak files of ASP code that clients have uploaded.

So, even if you don't do it for yourself, do it for the client ;) Regards,
Graeme
---
Graeme Slogrove, BSc (Eng) Elec (Wits)
Director, Systems Development & Value Added Services
NetActive Internet