Solved

Can ASP source code be "hidden"?

Posted on 2001-09-04
21
290 Views
Last Modified: 2008-02-01
Is there a way to "hide" ASP code that's used on a web site?  I've heard that .NET will compile the code, which would accomplish it, but I don't really know where to start.  

Thanks -
0
Comment
Question by:gglover
  • 6
  • 6
  • 3
  • +4
21 Comments
 
LVL 28

Accepted Solution

by:
AzraSound earned 50 total points
Comment Utility
If youre concerned about visitors to your page, you are fine, so long as you havent done anything to allow your code to be viewed (such as script errors in an include file with *.inc extension)

If you mean you want to protect it from someone you are distributing it to, or from the company hosting your site, then you need to wrap up the "sensitive" code into components (e.g., ActiveX DLLs)
0
 

Author Comment

by:gglover
Comment Utility
Right - the server is not in my area and I'm not sure who has access to what, but I'd just as soon not expose how we did every little thing.

We can go the ActiveX components, but doesn't that require that the user machine have updated system files (MDAC, DCOM, etc.)?  Seems like it would introduce a whole new array of things that could screw up.  Perhaps it's not that big a deal...
0
 
LVL 18

Assisted Solution

by:mgfranz
mgfranz earned 50 total points
Comment Utility
Microsoft has a script encoder available, http://www.microsoft.com/mind/0899/scriptengine/scriptengine.htm that will encrypt your code.
0
 
LVL 1

Expert Comment

by:NathanC
Comment Utility
The only way (now) to keep code secure in an environment that is not completely your own is to wrap it in dlls.

"System files" are not really a concern because server.createobject() instantiates the same dll that the activeX component you created will.  IIS is the "user machine".  You are right, dll's do bring a whole new thing- for instance, any time you update a dll you need to bring down IIS, replace the dll and the start IIS and w3svc again.

A service provider typically will not allow you to register "Home Grown" dll's.  So look very carefully at the contract, place copyright notices in your asp code- as both server side comments and javascript/client side comments-And talk to a lawyer.  Another option- find a "server host" rather than a "site host".  In other words place your own server, with your security at someone else's site.  If you are distributing asp code to clients- again notch up the license agreement, hire a lawyer, or dictate dll usage.

I'm not sure I really understand what you are after- just offering a few things I've encountered- doing both dll in an IIS environment and asp.
0
 
LVL 28

Expert Comment

by:AzraSound
Comment Utility
Generally, it usually means that the server simply allows you to install custom components.  Other than that, you should run into few problems as long as you maintain versioning within your compononents.  If your host provides support for custom components, they will do the installation and registering of those components for you.

MS Script Encoder is not a solid solution.  Just do a search on the web for the MS Script Decoder and youll find plenty of links.
0
 
LVL 18

Expert Comment

by:mgfranz
Comment Utility
Azra, I'm suprised you say Script Encoder is not a solid solution, while it can be hacked, [what code can't], I encode lots of my scripts with it.  Just as a test, I have a simple date.asp file that I encrypted with MS Script Encoder.  Here is the code before encrypting;

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
     <title>Date.asp</title>
<style>
body {
     font-family : Arial;
     }
</style>
</head>

<body>
Today is <%=FormatDateTime(Date(),2)%><p>
Todays date and time is <%=Now()%>.


</body>
</html>

Here it is after encrypting;

<%@ LANGUAGE = VBScript.Encode %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
     <title>Date.asp</title>
<style>
body {
     font-family : Arial;
     }
</style>
</head>

<body>
Today is <%=#@~^GAAAAA==oKDhmYGlYKbh+vfCY`bSy#9AcAAA==^#~@%><p>
Todays date and time is <%=#@~^BQAAAA==HKhc*hQEAAA==^#~@%>.


</body>
</html>

And here is the .asp page after running it through a "MS Script Decoder" I found on the web.

HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 05 Sep 2001 14:39:24 GMT
Connection: Keep-Alive
Content-Length: 272
Content-Type: text/html
Set-Cookie: ASPSESSIONIDGGGGGKSQ=PCLDGJBDNOJCDMLJPLFDKDMP; path=/
Cache-control: private


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">

<html>
<head>
<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>

<body>
Today is 9/5/2001<p>
Todays date and time is 9/5/2001 7:39:24 AM.


</body>
</html>

Looks pretty secure and safe to me...  while I agree registering a .dll is probably the safest way, the Script Encoder is fine for most needs.
0
 
LVL 28

Expert Comment

by:AzraSound
Comment Utility
If he is that concerned with securing his scripts, I am just saying that he probably wouldnt want to rely on using something that has been hacked and posted all over the internet.  Of course, if his site host is that sneaky and devious, then he probably needs to find a new home elsewhere on the web anyways.
0
 

Author Comment

by:gglover
Comment Utility
Sorry for the delay.  After looking into it a bit, it does seem that the encoder will do just that, and is a quick and easy way to encode the ASP.  It also seems, however, that it's about as quick to "un-encode" it.  It's apparently been around without being changed, as well, which surely cuts down on its effectiveness.

My original question centered on .NET's "compiling" capabilities, but none of the answers mention it, so if it exists, it must not be very well known.

I think the suggestion of "wrapping in DLLs" might be a good one, but is there a source of how to do this?  Are these DLLs registered on the server only, or do they have to be registered on the user machine as well?

0
 
LVL 28

Assisted Solution

by:AzraSound
AzraSound earned 50 total points
Comment Utility
>>My original question centered on .NET's "compiling" capabilities, but none of the answers mention it

Mainly do the fact that its still in BETA mode, and wont see full release til sometime next year, at least.  Then, we get to enjoy the road of new versions and service packs that developers enjoyed with Visual Studio.

Yes, ASP.NET will be coded in any language targeting the .NET platform.  VBScript is not one of those languages.  You will be using VB, C++, C#, etc, when writing your asp pages.  The benefit is compiled code, instead of interpreted code at run-time.  Yes the code is compiled, but its not hidden.  Your worries lie in the fact that someone can see your code.  This will not change in ASP.NET.  Your code is still visible to those who view your pages.  The difference is how your pages are executed under the .NET platform.  To "hide" your code, you still need to use a component, which, actually, may be even less "safe" under .NET because, currently, the .NET platform offers a decompiler tool that will generate IL code from compiled sources.


Wrapping up ASP code into an ActiveX DLL is not a difficult task, especially if youve coded in VBScript (most of the code can be copied/pasted into a VB component.  These components need only be registered on the server, where they are utilized, and not on the client machine.
0
 
LVL 18

Expert Comment

by:mgfranz
Comment Utility
I have not found a component, .exe or COM that can "un-encode" a MS Encoded .asp file, if you do know of a utility I would be happy to hear about it.

I still feel it's fine for most applications.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 28

Expert Comment

by:AzraSound
Comment Utility
0
 
LVL 18

Expert Comment

by:mgfranz
Comment Utility
Cool, thanks.  But the utility still requires the original .asp code.

I agree that wrapping the pages into a .dll or a .exe would be the ultimate solution, but it's seems senseless to have to re-compile just to fix a spelling or some other issue...
0
 

Author Comment

by:gglover
Comment Utility
Two viable alternatives... now all I have to do is write something worth hiding!
One more question - I guess I want to split the points; how is that done?
Thanks -
0
 
LVL 28

Expert Comment

by:AzraSound
Comment Utility
>>But the utility still requires the original .asp code.

Thats what he has been worried about all along, e.g., a hosting site seeing his code.  Other than that, your server code is invisible to clients unless you have taken no steps to protect yourself.


>>but it's seems senseless to have to re-compile just to fix a spelling or some other issue.

Whether a component or script within an asp page, changes need to be made.  Hopefully, youve tested it before registering and putting it into use.  Even then, if changes are small, and youve compiled with binary compatibility, you can just copy over the old component with the new w/o any hassles of registering/unregistering.



To split points, just post a 0 pointer in Community Support, ask them to split the points, and link them to this question.
0
 
LVL 18

Expert Comment

by:mgfranz
Comment Utility
Azra, did you see the neat JS version?

If you dig hard enough at this site, you will find a Base64 encoding method that takes this basic page;

<title>Date.asp</title>
<style>
body {
font-family : Arial;
}
</style>
</head>
<body>
Today is 9/5/2001<p>
Todays date and time is 9/5/2001 7:39:24 AM.
</body>
</html>

And encodes it to this;

PGh0bWw+IA0KPGhlYWQ+IA0KPHRpdGxlPkRhdGUuYXNwPC90aXRsZT4gDQo8c3R5
bGU+IA0KYm9keSB7IA0KZm9udC1mYW1pbHkgOiBBcmlhbDsgDQp9IA0KPC9zdHls
ZT4gDQo8L2hlYWQ+IA0KPGJvZHk+IA0KVG9kYXkgaXMgOS81LzIwMDE8cD4gDQpU
b2RheXMgZGF0ZSBhbmQgdGltZSBpcyA5LzUvMjAwMSA3OjM5OjI0IEFNLiANCjwv
Ym9keT4gDQo8L2h0bWw+DQoNCg==

The only caveat is that the decoder will have to be declared or included in an encrypted page, or better yet, wrap the decoder into a .class file... ;-)

[I love my the net...]
0
 

Expert Comment

by:ComTech
Comment Utility
Hi mgfranz, you feft a link and a request to split points, for the record, would you please return to that question and tell the Moderator Who you wat the split to go to?

Thank you,
ComTech
Community Support Moderator
0
 
LVL 18

Expert Comment

by:mgfranz
Comment Utility
Umm... ComTech, I think you want gglover to handle this request, not me.  ;-)
0
 

Expert Comment

by:ComTech
Comment Utility
Right.  The split will be as follows:

50=mgfranz
50=AzraSound

gglover, I will reduce you points by 50, and accept one qustion here.

Use the other 50 points and create a new question here in this Topic Area for the other Expert.  Entitile the question *Points for <Expert Name)*  In the Comment Box type *For your help in my question #20178511*  

Choose the 50 point button and submit, this will complete the split.

Thank you,
ComTech
Community Support Modeator

0
 
LVL 27

Expert Comment

by:Asta Cu
Comment Utility
Hopefully you've already been helped with this question, but thought you'd appreciate knowing this.

WindowsUpdate has new updates for .NET users; Details follow - Microsoft .NET Framework
The .NET Framework is a new feature of Windows. Applications built using the .NET Framework are more reliable and secure. You need to install the .NET Framework only if you have software that requires it.

For more information about the .NET Framework, see http://www.microsoft.com/net. (This site is in English.)

System Requirements
The .NET Framework can be installed on the following operating systems:
Windows 98
Windows 98 Second Edition (SE)
Windows Millennium Edition (Windows Me)
Windows NT 4.0® (Workstation or Server) with Service Pack 6.0a
Windows 2000 with the latest service pack installed (Professional, Server, Datacenter Server, or Advanced Server)
Windows XP (Home Edition and Professional)
You must be running Internet Explorer version 5.01 or later for all installations of the .NET Framework.

To install the .NET Framework, your computer must meet or exceed the following software and hardware requirements:

Software requirements for server operating systems:
MDAC 2.6
Hardware requirements:
For computers running only a .NET Framework application, Pentium 90 mHz CPU with 32 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
For server operating systems, Pentium 133 mHz CPU with 128 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
Recomended software:
MDAC 2.7 is recommended.
Recommended hardware: For computers running only a .NET Framework application, Pentium 90 MHz CPU with 96 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.
For server operating systems, Pentium 133 MHz CPU with 256 MB memory or the minimum CPU and RAM required by the operating system, whichever is higher.

How to use -> Restart your computer to complete the installation. No other action is required to run .NET Framework applications. If you are developing applications using the .NET Framework, you can use the command-line compilers or you can use a development environment, such as Visual Studio .NET, that supports using the .NET Framework.

How to uninstall
To uninstall the .NET Framework: Click Start, point to Settings, and then click Control Panel (In Windows XP, click Start and then click Control Panel.).
Click Add/Remove Programs.
Click Microsoft .NET Framework (English) v1.0.3705 and then click Change/Remove.
More here  http://www.microsoft.com/net/

The .NET topic is being considered for addition to our All Topics link soon, so this may interest you as well:
http://www.experts-exchange.com/newtopics/Q.20276589.html

EXPERTS POINTS are waiting to be claimed here:  http://www.experts-exchange.com/commspt/Q.20277028.html

":0)
Asta


0
 
LVL 7

Expert Comment

by:lavinder
Comment Utility
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is:

split - azrasound mgfranz
Please leave any comments here within the next seven days.
 
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
 
lavinder
EE Cleanup Volunteer
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now