[Owasp-codereview] ASP Code Review

Andre Gironda andreg at gmail.com
Thu Mar 12 19:07:29 EDT 2009


On Thu, Mar 12, 2009 at 3:13 PM, Paul <lopo1 at hotmail.com> wrote:
> I was hoping one could quickly point me to any tools for Classic ASP Code
> review (if any exist since I have already tried to find some).

Depends on the deployment characteristics.  There were a lot of ISAPI
problems such as buffer overflows and information disclosures, but
these could usually easily be thwarted by making sure that you have
your unused ISAPI extensions unmapped.

IISLockdown and URLScan were good tools to help.  I know that Dinis
Cruz had a long list once, filled with tasty items such as the IIS
Metabase tools: MetaAcl.exe and MtaEdt22.exe

Nish Bhalla was a contributing author to Hacking Exposed Web App 2nd
Ed, where in Chapter 12, page 416, he demonstrates "An Example of
Binary Analysis" using OllyDbg.  Here is the code -
http://webhackingexposed.com/secret.zip

Also see:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c06_active_server_pages.mspx?mfr=true
http://w3schools.com/asp/

> Additional, any other resources on ASP security are also welcome.

how about owASP.org ?
e.g. http://www.owasp.org/index.php/Reviewing_Code_for_SQL_Injection

Cheers,
dre


More information about the Owasp-codereview mailing list