Google
AspAlliance.com Web
AspAlliance
Register
Edit My Profile
Author List
Write for Us
About AspAlliance
Contact Us
Privacy Policy
Link To Us
Advertise

Subscribe
Free Newsletter
Newsletter Archive
RSS Syndication

.NET Tutorials
Learn .NET
Learn WCF
Learn WPF
Learn ASP.NET
Learn AJAX
Learn Silverlight
Learn Visual Studio
Learn ADO.NET
Learn LINQ
Learn C# (CSharp)
Learn VB.NET
Learn Web Services
Learn Controls
Learn BizTalk
Learn SharePoint
Learn Mobile
Learn SQL
Learn SQL Reporting
Learn Windows Forms
Learn XML
Learn Crystal Reports
Learn FarPoint
Learn DevExpress
Examples
ASP.NET 2.0 Examples

ASP Tutorials
Learn ASP
Learn VBScript
Learn JScript
Learn SQL
Learn XML

Software Resources
Shopping Cart Ecommerce
Charts and Dashboards

Other Resources
Learn Java
Learn Oracle
Opinion / Editorial
Crystal Reports Alliance
WPF Resources
AJAX Resources
Silverlight Resources

Free Tools
Cache Manager
SimpleCMS

Reviews
Book Reviews
Product Reviews
Expert Advice

Books
ASP.NET Developer's Cookbook
Sample Chapters
Book Reviews

Community
Regular Expressions

Print This Article Print  Add To Favorites Add To Favorites    Email This Article To A Friend Email To Friend  Rate This Article Rate This Article   
Ideas for Improving ASP and ASP.NET Web Application Security - Part 1
page 2 of 6
by Brett Burridge
Feedback
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 28437/ 109
Do not use .inc as default makes it readable in browser

When using ASP include files, it is usually better to use the .asp file extension rather than .inc. This is because many IIS web servers do not recognize that the .inc files contain ASP content.  Although it is possible to associate files with .inc file extensions with the ASP interpreter via the Application Mappings settings within IIS, not many websites are configured to do this.

If IIS is not aware of .inc files containing ASP, then HTTP requests for them will be returned to the client as plain text.  This does of course mean that the source code in the file will be viewable by anyone.  This is a particular hazard if there is sensitive data contained within them, such as passwords or database connection strings.

Although it is possible that your .inc files may go unnoticed, there are several methods by which they may get discovered.

A malicious user may come across them if they are in a sub-folder with a guessable name (such as "includes") and the folder has directory browsing switched on.  Turning off directory browsing will help alleviate this issue.

An ASP error on a page using the include file will show the path to the include file if the error was encountered in that include file.  Turning off ASP errors will avoid this issue.

The other advantage of this is that file editors, such as Visual InterDev, will automatically recognize the file as containing ASP code and will syntax highlight and color code the source code appropriately.
View Entire Article

User Comments

No comments posted yet.

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-04-19 6:24:43 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search