When you think ASP, think...
Recent Articles
All Articles
ASP.NET Articles
Message Board
Related Web Technologies
User Tips!
Coding Tips

Sample Chapters
Commonly Asked Message Board Questions
JavaScript Tutorials
MSDN Communities Hub
Official Docs
Stump the SQL Guru!
XML Info
Author an Article
ASP ASP.NET ASP FAQs Message Board Feedback
Print this page.
Published: Tuesday, September 22, 1998

Protecting Yourself Against ::$DATA

One of the advantages of ASP is that it is processed on the server side, and the client is sent only raw HTML. Therefore, your valuable code is not available for any old web surfer to view. However, back in July '98 a "security hole" was found, where web surfers could view the contents of your ASP files. This is bad. All they had and have to do, is type in ::$DATA at the end of the URL. (For example, "http://www.mydomain.com/myaspfile.asp::$DATA".) This can be fixed, though, although not everyone is aware of this security issue. Below is a question in the Active Server Pages Mailing List, and a corresponding answer from Peter Brunone.

Protecting Yourself:
The question :

I have a question regarding the "::$DATA" literal appended to the end of an HREF of an .asp page in the address bar of a browser (e.g. www.blah.com/blah/aspPage.asp::$DATA). I notice at some web sites, adding this reveals all server sid e scripting. However other sites have this disabled. How can you disable this so that server side code is not revealed? I don't know whether this is an IIS switch or an .asp function.

And the answer from Mr. Brunone:

Actually, this is a characteristic of all NT files. Scary, isn't it?

You can disable this by setting ASP directories to have only execute permissions (and NOT Read permissions). That way your asp files will never be read (as in the data stream you've been getting); they will only be executed, yielding simple HTML to the client.

As mentioned in the introduction, this security problem has been known since July of 1998. If you have yet to fix this on your web server, you may wish to do so promptly. Remember, part of the appeal of Active Server Pages is the fact that your code is hidden from the prying eyes of your competitors. Happy Programming!


There is a hotfix available for the ::$DATA bug available at http://www.microsoft.com/ntserver/nts/downloads/archive/NTOPQFE/default.asp.

You should also be sure to read this KB article at Microsoft's site: ::$DATA Data Stream Name May Return Source (Microsoft KB Article)

- continued -

ASP.NET [1.x] [2.0] | ASPMessageboard.com | ASPFAQs.com | Advertise | Feedback | Author an Article