Asp vulnerability question

Discuss the many weaknesses of browser security and ways to mitigate the threat

Asp vulnerability question

Post by VSpeed on Fri Aug 20, 2010 2:22 pm
([msg=43999]see Asp vulnerability question[/msg])

Hello everyone, I'm pretty new here, so this is my first post 8-)
I've started learning ASP and I noticed you can't view the source code of those files for some reason(dynamic files or something). So I've made a simple user & password form out of 2 pages
login.html

Code: Select all
<html>
<head></head>
<body>
<p>Login </p><br>
<form action="login.asp" method="get">
Username:<input type="text" name="name"/><br>
Password:<input type="password" name="pwd"/><br>
<input type="submit" value="Login"/>
</form>
</body>
</html>


login.asp
Code: Select all
<body>
<%
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
response.write("..........Welcome admin....<br>.........Secret info here lol")
else
response.write("<h1>Login error!<h1>")
end if
%>
</body>

It's a simple form if you enter user: admin , password: asdf
you'll get access to the admin info if not.. well error ;)
Now here's the question: can a person from the outside somehow manage to hack in without knowing the actual password?
this form uses VBScript, is it vulnerable to injections?

Thanks in advance
VSpeed
New User
New User
 
Posts: 5
Joined: Sun Aug 08, 2010 9:45 am
Blog: View Blog (0)


Re: Asp vulnerability question

Post by sanddbox on Sat Aug 21, 2010 2:22 am
([msg=44021]see Re: Asp vulnerability question[/msg])

Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Asp vulnerability question

Post by VSpeed on Sat Aug 21, 2010 8:41 am
([msg=44033]see Re: Asp vulnerability question[/msg])

sanddbox wrote:Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.

Thanks, I guess I'll use it when I make a website :D
VSpeed
New User
New User
 
Posts: 5
Joined: Sun Aug 08, 2010 9:45 am
Blog: View Blog (0)


Re: Asp vulnerability question

Post by sanddbox on Sat Aug 21, 2010 12:22 pm
([msg=44035]see Re: Asp vulnerability question[/msg])

VSpeed wrote:
sanddbox wrote:Assuming the code is valid, I doubt it. The password is hardcoded; it's not making any SQL queries or anything similar.

Thanks, I guess I'll use it when I make a website :D


Eh, it's much better to use an SQL database and properly escape input.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Asp vulnerability question

Post by tremor77 on Sat Aug 21, 2010 12:52 pm
([msg=44039]see Re: Asp vulnerability question[/msg])

It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all
<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 910
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: Asp vulnerability question

Post by VSpeed on Sun Aug 22, 2010 4:28 am
([msg=44056]see Re: Asp vulnerability question[/msg])

tremor77 wrote:It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all
<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>

hm.. yes, that's a problem
Is there a way to make the "dim LoggedIn" a global variable to a few asp pages?
VSpeed
New User
New User
 
Posts: 5
Joined: Sun Aug 08, 2010 9:45 am
Blog: View Blog (0)


Re: Asp vulnerability question

Post by goluhaque on Sun Aug 22, 2010 7:03 am
([msg=44059]see Re: Asp vulnerability question[/msg])

VSpeed wrote:
tremor77 wrote:It's very basic, so relatively secure but... also not very effective, in that it's not setup well to code your pages. And you would have to login for each page you wanted to protect instead of being logged into your entire site..

Code: Select all
<%

dim LoggedIn
if Request.QueryString("name") = "admin" and Request.QueryString("pwd") = "asdf" then
LoggedIn = "Yes"
else
LoggedIn = "No"
end if

if LoggedIn = no then
Response.Redirect "login.html"
else

%>

Add all your hidden html here..... 

<%
end if
%>

hm.. yes, that's a problem
Is there a way to make the "dim LoggedIn" a global variable to a few asp pages?

Yeah, there is something called Sessions. http://www.w3schools.com/ASP/asp_sessions.asp
btw. glad to see that at least there is someone on this site other than me who is learning ASP.
(23:45:03) hauk: I guess you are over the best part of your life when 4-year-olds say "Are you an evil man?"
(23:46:19) hauk: and "Ima punch you in the pecker"
User avatar
goluhaque
Poster
Poster
 
Posts: 153
Joined: Mon Apr 13, 2009 12:08 am
Location: India
Blog: View Blog (0)


Re: Asp vulnerability question

Post by sanddbox on Sun Aug 22, 2010 1:16 pm
([msg=44069]see Re: Asp vulnerability question[/msg])

Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Re: Asp vulnerability question

Post by Goatboy on Sun Aug 22, 2010 4:59 pm
([msg=44089]see Re: Asp vulnerability question[/msg])

sanddbox wrote:Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.

Half right. Even HTML files are server-side. The reason you can't view them (in most cases) is because they are generating what you see, instead of being what you see.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2823
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Asp vulnerability question

Post by sanddbox on Sun Aug 22, 2010 5:33 pm
([msg=44092]see Re: Asp vulnerability question[/msg])

Goatboy wrote:
sanddbox wrote:Also, the reason you can't view the source code of ASP files just from viewing a web page is because the files are server side and not being shared with the person browsing your website.

Half right. Even HTML files are server-side. The reason you can't view them (in most cases) is because they are generating what you see, instead of being what you see.


That's why I included the second half of the sentence :P
Image

HTS User Composition:
95% Male
4.98% Female
.01% Monica
.01% Goat
User avatar
sanddbox
Expert
Expert
 
Posts: 2331
Joined: Sat Jul 04, 2009 5:20 pm
Blog: View Blog (0)


Next

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

cron