11.6 ASP

The term Active Server Pages (ASPs) refers to a proprietary server-side scripting technology used by Microsoft to dynamically create Web pages. Roughly speaking, an ASP page is an HTML page that contains some server-side scripts that are processed by the Web server before the HTTP response message is sent back to the browser. As such, the ASP technology is conceptually similar to the use of SSIs.

More specifically , when a browser requests an ASP file (i.e., a file with the extension .asp) from a Web server, the server processes the ASP file from top to bottom and executes any server-side script it finds in the file. The scripts, in turn , can be written in either the VBScript or JScript scripting languages. The server then formats a standard Web page (e.g., an HTML or XML page) and returns it to the browser. Consequently, anybody familiar with VBScript or JScript programming is potentially able to create ASP files.

In the past, ASP has been involved in many security problems. Most of these security problems, however, have been due to the fact that ASP is deeply intertwined with the Microsoft Windows operating systems and Web servers (i.e., Microsoft IIS and Personal Web Server). Consequently, attackers usually employ ASP pages to exploit vulnerabilities and bugs either in the operating system or the Web server software. If they did not use ASP pages, they would search and eventually find other possibilities to exploit the same vulnerabilities and bugs . Nevertheless, it is arguably correct to say that VBScript and JScript are powerful scripting languages that simplify the attacker s job considerably.