IIS supports advanced file types such as .asp and .htr files, which are executed by a scripting engine on a server and are not sent to your browser, as .htm files are. IIS determines what scripting engine to use by checking file extensions. A malicious user could go to a Web site and add particular characters to the end of the Web site's URL, requesting further files within the site. IIS locates the correct advanced file, but does not recognize it as a file that needs processing by a scripting engine. Consequently, IIS sends the file to a browser as it does .htm files, revealing the file source code.