Which files are visible in a website?

L

LarryM

Hi,

This is maybe not a pure ASP question, but has some relation:
Please help me throw some light on this:

Which directories and files are visible and readable for a (hacking) user at a
Website:
a) directories in the default website (obviously: YES)
b) .asp-files in the default Website
c) .asp-files in any diretory outside the default Website
d) virtual directories, with files, referred to in the Website
e) any virtual directory, with files, set up in IIS
f) any other directory and file on the server computer that you know the local
physical path to
g) any other directory and file on the server computer that you know a valid
URL to

any comment is appreciated, thanks
Larry
 
L

LarryM

A) yes, but listing the contents is a switch you can turn on/off.
B) yes by default BUT you can turn this off.
C) no, unless you've specified it as another site.
D) yes, depending on the file type though it may not be.
E) see D
F) not usually if the system is patched/up to date.
G) yes usually, see D though.
Click to expand...

Thanks Curt C!!
I guess the subject is to large to handle in a thread...
You don't happen to know a good book where I can dig deeper into all the
details??

BTW, how do you turn the .asp-files to be not visible?

/Larry
 
D

Don Verhagen

LarryM said:
Thanks Curt C!!
I guess the subject is to large to handle in a thread...
You don't happen to know a good book where I can dig deeper into all the
details??

BTW, how do you turn the .asp-files to be not visible?
Click to expand...

..asp files is not visible just the HTML output (eg "Response.Write"). ASP
Files, by default (etc.) are processed by the server first after each
request. (Unless using FTP rather than HTTP)

Don
 
L

LarryM

.asp files is not visible just the HTML output (eg "Response.Write"). ASP
Files, by default (etc.) are processed by the server first after each
request. (Unless using FTP rather than HTTP)
Click to expand...
So, visible using FTP..
And since I have an exclusive access to my Website by a FTP login,
and Anonymous FTP Access is turned off, then
only I (and the provider) can see the .asp-files, right?

/Larry
 
L

LarryM

simply disassociate them with the ASP.DLL in the IIS manager.
Click to expand...
And that doesn't affect the ASP code execution?
And the .asp-files are still visible in FTP?
/Larry
 
J

Jeff Cochran

This is maybe not a pure ASP question, but has some relation:
Please help me throw some light on this:

Which directories and files are visible and readable for a (hacking) user at a
Website:
a) directories in the default website (obviously: YES)
Click to expand...

Not mine.
b) .asp-files in the default Website
Click to expand...

Not mine.
c) .asp-files in any diretory outside the default Website
Click to expand...

Not mine.
d) virtual directories, with files, referred to in the Website
Click to expand...

Not... Okay, you see the pattern here.
e) any virtual directory, with files, set up in IIS
f) any other directory and file on the server computer that you know the local
physical path to
g) any other directory and file on the server computer that you know a valid
URL to
Click to expand...

Securing files/folders is a matter of several permissions in
combination. If you allow anonymous access, then you presumably allow
at least some files to be displayed to anyone who hits your web site
URL. Beyond that, you can configure any or all pages to be served
through ASP only, and not directly from the system. You can configure
your system such that pages never exist until sent to the browser,
serving dynamically from a database that can't be directly accessed.

You also should consider that just making files available to a browser
or not isn't security against hackers. Most script hacks won't look
at your pages and determine to hack them, they just scan for known
holes to see if you've plugged them. So you're far more likely to be
a hacking victim from other issues besiades file availability.

Jeff
 
J

Jeff Cochran

So, visible using FTP..
And since I have an exclusive access to my Website by a FTP login,
and Anonymous FTP Access is turned off, then
only I (and the provider) can see the .asp-files, right?
Click to expand...

And the guy who guesses your password. And the guy who hacks another
account on the same box and elevates his priveleges. And the guy who
calls your ISP, says he's you and needs a copy of his files burned to
CD. And the guy who walks in the door of your ISP and simply copies
the files to disk. And the...

Security isn't as simple as you're looking for.

Jeff
 
L

LarryM

Thanks guys for all your comments and tips,
I feel a bit … humble about the security issues,
there is obviously a lot to deal with..

/Larry
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

First website practice project advisement 4
I need help fixing my website 2
I need help making an html website 2
Collect Excel Data from Website 5
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
Minimizing features of a website as the browser minimizes 1
People are needed for a mental model study of concurrent programming. (>19 years old, English Speaking, Programmers who know concurrency) 1
How to make Intellisense Quick Info for JavaScript and CSS files to appear in Visual Studio 2017? 0

Members online

Total: 33 (members: 1, guests: 32)
Robots: 323

Forum statistics

Threads
473,755
Messages
2,569,536
Members
45,011
Latest member
AjaUqq1950

Latest Threads

Top