ASP Example #2
Application Security Testing: An Integral Part of DevOps
[Alter For Your Server]
OK, here we go with Active Server Pages (ASP) Example Number Two. I should say that if you stopped by this page simply because of its offering a password system, then you may want to read over the original ASP tutorial first. Here I'm going to assume you understand the concept of ASP and what it actually does. So go and give the first tutorial a once over and come back. You'll get a great Server Side Include script for your trouble.
This pup is so much better because everything goes on behind the scenes and cannot be viewed by a normal browser. You really do need to have access to the pages themselves through FTP to get the code. It's a great system for protecting singular pages against people you'd rather not have sniffing around.
What You're Going To NeedThis system works with five different pages:
- password.asp is the form users fill out.
- engine.asp is the VBScript that checks their entries.
- invalid.asp is the page users get from invalid login and password.
- inyougo.asp is the page they get with correct login and password.
- passwords.txt is the text page that contains the passwords.
Be Careful!! ASP must be run on a server that supports it.
In order for me to offer these pages to all users, I have changed them into HTML for easy copy and paste.
Do Not Download The Pages but rather copy them from the browser screen retaining the EXACT same shape as when you received them.
They are HTML files now, but when you save them, you MUST save them with the ASP extension. It will read at the top of each page what name you should save the file under.
Please follow these instructions and save all five files to the same directory.
Alter Them For Your ServerIn all honesty, there isn't a whole lot to do. The only changes that have to be made are on the page you saved as "engine.asp". This page.
I have highlighted in bold the items that you'll need to change or be most concerned about. Here they are on the order they show up in the script:
That "path\path\path\path" is our main concern. That's where you tell the script where to find the list of passwords. The author informs me that a basic path will do it.
For instance: You have a site at
In the path list above, you would write
Just drop the main domain text. Please note the slashes go backwards.
- & "\passwords.txt")
If you keep your list of logins and passwords titled "passwords.txt" then there's no need to change this. If you change the title, then you have to change this.
- Response.Redirect "inyougo.asp"
This script is set up to take users who give the correct login and password to a page titled "inyougo.html". If you want them to go to a different page, then change this out.
- Response.Redirect "invalid.asp"
This is where users are sent if they do not offer the correct login and password. Again, if you change the name of the page, then change this.
The only other item you really need to be concerned about is the passwords.txt page. Remember to save it as a text file with the .txt extension. That's important.
At the moment, the passwords.txt page is set up to accept two people, Bill Gates and myself.
Notice the format for entering logins and passwords. The first text blurb is the login. I used my last name. The second blurb of text is the password. I used my first name. You can enter anything you want. As long the user enters what is in the passwords.txt file EXACTLY, then they get in.
Protection ConcernsThis system protects one page at a time. If you wish to protect multiple pages, then you have to generate more of these password and engine pages for each page you wish to protect.
In addition, this does not protect the page once the person has found out the URL. The user can then simply bookmark past the login and jump straight to the page, but they first have to know the login and password to get there in order to bookmark it.
You would hope the people you offer passwords to would not make a point of telling lots of other people the URL.
And That's That...Copy and paste all the files, save them all in the same directory, enter a few more logins and passwords and you should be good to go.
Of course you can jazz up the pages I offered to death. Just don't alter out the basic workings of the process more than outlined above unless you have a pretty good idea of what you're doing. That'll mess things up a bit.
IT Solutions Builder TOP IT RESOURCES TO MOVE YOUR BUSINESS FORWARD
Which topic are you interested in?
What is your company size?
What is your job title?
What is your job function?
Searching our resource database to find your matches...