Asp vulnerability question

[VSpeed]

Hello everyone, I'm pretty new here, so this is my first post
I've started learning ASP and I noticed you can't view the source code of those files for some reason(dynamic files or something). So I've made a simple user & password form out of 2 pages
login.html

Code: Select all

<html>
<head></head>
<body>
<p>Login </p><br>
<form action="login.asp" method="get">
Username:<input type="text" name="name"/><br>
Password:<input type="password" name="pwd"/><br>
<input type="submit" value="Login"/>
</form>
</body>
</html>

login.asp

Code: Select all

<body>
<%
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
response.write("..........Welcome admin....<br>.........Secret info here lol")
else
response.write("<h1>Login error!<h1>")
end if
%>
</body>

It's a simple form if you enter user: admin , password: asdf
you'll get access to the admin info if not.. well error
Now here's the question: can a person from the outside somehow manage to hack in without knowing the actual password?
this form uses VBScript, is it vulnerable to injections?

Thanks in advance

[sanddbox]

Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.

[VSpeed]

Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.

Thanks, I guess I'll use it when I make a website

[sanddbox]

Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.

Thanks, I guess I'll use it when I make a website

Eh, it's much better to use an SQL database and properly escape input.

[tremor77]

It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all

<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>


[VSpeed]

It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all

<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>


hm.. yes, that's a problem
Is there a way to make the "dim LoggedIn" a global variable to a few asp pages?

[goluhaque]

It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all

<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>


hm.. yes, that's a problem
Is there a way to make the "dim LoggedIn" a global variable to a few asp pages?

Yeah, there is something called Sessions. http://www.w3schools.com/ASP/asp_sessions.asp
btw. glad to see that at least there is someone on this site other than me who is learning ASP.

[sanddbox]

Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.

[Goatboy]

Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.

Half right. Even HTML files are server-side. The reason you can't view them (in most cases) is because they are generating what you see, instead of being what you see.

[sanddbox]

Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.

Half right. Even HTML files are server-side. The reason you can't view them (in most cases) is because they are generating what you see, instead of being what you see.

That's why I included the second half of the sentence