Hi,

I've just been reading about a method whereby a hacker using HTTP_REFERER methods can access the source code of an ASP website. I've made it work from inside my site but does anyone know how/if it can be done from an external source? If so this opens up a huge security hole in ASP, as many people store connection string passwords and encryption public keys within the ASP code.

I am currently doing this in the classic macromedia method of including the connection string at the top of pages that require it. I want to move these into a COM/DLL object which i believe is more secure (Requiring decompiling, after the original DLL is located in the server's root). Does anyone know a good way of writing one of these connection string DLLs? I'm using Dreamweaver, Visual Studio.NET etc.

Thanks

Joe

What article are you referring to? Post the link, because I'm interested too.

If its some kind of injection exploit, why don't you just sanitize the string (e..g RegExp to remove bad characters) before using it?

Are you writing ASP in VS.net? Why not write in ASP.net? The .net runtime secures the files that you would store connections strings. In a typical ASP.net application, a connection string can be stored in the web.config file. The ASP.net installation on IIS will not permit that file to be served.

I'm using classic ASP. The article i was reading was on ASP101.com - someone mentioned that you could use HTTP_REFERER to view site source code. I managed to find a script that did this if it was within the site folders online but couldn't find a lot more out about the process. Basically you use a fileSystemObject to download a file as text. That way the ASP.dll doesn't parse the data it just outputs it as plain text. Very cunning.

I already have some SQL injection protection but am going to add some more. I'd just like to know if anyone has any links to good tutorials on making a connection dll. I'm only just starting out with VS.Net and its all very complicated!

Thanks