Analysis of ASP + access security issues

As we all know, the biggest security risk of ASP + access is that access databases can be accessed by others.
Download, but now many ASP spaces support only access databases,
ASP + access security issues have become very prominent.

1. storage risks of access databases
In the ASP + Access application system, if you obtain or guess the storage path of the Access Database
Path and database name, the database can be downloaded to the local device.

2. Potential decryption risks of access databases
Because the encryption mechanism of the Access database is very simple, even if the database has a password,
Decryption is also very easy. The database system uses the password entered by the user to communicate with a fixed key.
Form an encrypted string and store it in the *. MDB file from the address "& h42 ".
Start area. Because an exception or operation is characterized by "restoring the original value after two exceptions or exceptions ",
This key is used to perform the second XOR operation with the encrypted string in the *. MDB file.
You can easily obtain the password for the access database. Based on this principle, you can easily compile the decryption
Program.

Therefore, no matter whether or not the database password is set, as long as the database is downloaded, its information is not secure.

3. Security Risks in programming
ASPCodeForm is used to implement user interaction, and the corresponding content is reversed.
In the browser's address bar, if you do not take appropriate security measures, you just need to write down
To directly access a page without verification. For example,
Page. asp? X = 1 "to directly go to the page that meets the" x = 1 "condition without going through the form page
. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.
.

============
Solution
============

Improve database security
Because the ACCESS database encryption mechanism is too simple, how to effectively prevent access
The download of databases has become the top priority for improving the security of ASP + access solutions.

1. unconventional naming rules
The easy way to prevent databases from being found is to create a complex
Rule name, and store it in a multi-tier directory. For example, for online bookstore database files,
Do not simply name it "book. mdb" or "store. mdb", but create an unconventional
Name, for example, faq19jhsv zbal. MDB.
Such as./akkjj16t/kjhgb661/ACD/avccx55. In this way,
Some methods for obtaining invalid access database file names by means of guesses are effective.
Blocking Effect.

2. use ODBC data source
in ASP programming, try to use ODBC Data Source. Do not write the database name directly in the
program. Otherwise, database names will be lost along with the password of ASP Source Code . Example:
dbpath = server. mappath (". /akkjj16t/
kjhgb661/ACD/avccx55/faq19jhsv zbal. mdb ")
Conn. open "driver = {Microsoft Access Driver (*. MDB)}; DBQ = "& dbpath
it can be seen that even if the database name is strange, the hidden directory is deep, and the ASP source code is out of password
, databases can also be easily downloaded. If you use an ODBC data source, the following
problem does not exist:
Conn. open "ODBC-DSN name"
ASP page encryption
to effectively prevent ASP source code leakage, ASP pages can be encrypted. There are two methods to encrypt ASP pages. One is to use component technology to encapsulate programming logic into DLL;
The other is to use Microsoft Script encoder to encrypt ASP pages. However, the main problem with the use of group
component technology is that each segment of code must be componentized, so the operation is cumbersome and the workload is heavy
; the script encoder is used to encrypt ASP pages, which is simple and effective.
the script encoder method has many advantages:

(1). html is still editable. Script encoder is only encrypted on the HTML page
The other parts of the embedded ASP Code remain unchanged, so that we can still use
Frequently Used webpage editing tools such as FrontPage and Dreamweaver modify and complete the HTML part.
Is good, but cannot modify the ASP encryption part, otherwise the file will become invalid.
(2) The operation is simple. Just master several command line parameters. Script encoder running
The program is screnc.exe, which is used as follows:
Screnc [/S] [/F] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile
The parameter meanings are as follows:
S: screen shielding;
F: Specifies whether the output file overwrites the input file with the same name;
XL: whether to add the @ language command to the top of the. asp file;
L: deflanguag specifies the default script language;
E: defextension specifies the extension of the file to be encrypted.
(3) files can be encrypted in batches. Use script encoder
And output the encrypted files to the corresponding directory. Example
For example:
Screnc *. asp c: \ Temp
(4). Script encoder is a free software. The encryption software can be downloaded from the Microsoft Website:
Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After the download, run and install.

Registration and verification using session objects
To prevent unregistered users from directly accessing the application system through the registration interface, you can use the session object for registration verification. The biggest advantage of a session object is that it can retain the information of a user so that subsequent web pages can be read.

3. Change the database Extension
You can also change the database extension to. asp. Of course, you need
Use a file name similar to database. asp, so that the database will not be easily downloaded, and the data
You can also read and write data normally.

4. Add incorrect ASP code to the database
If you think everything will be fine after 3rd items are completed, it will be wrong, although the database Extension
Changed to. asp, but after the other party guessed your database path, it can still be downloaded, only
However, it is slower. The other party can "Save as" after the page is fully opened. Solution
To solve this problem, add the wrong ASP code in the database. You can create a hidden
Table, the table has only one column, and insert such a row:

In this way, when the other party opens the database page, only the ASP script error message appears, instead
Will download your database.

5. A solution to the hidden risks in programming
Most people think that the website cannot be normally accessed by adding a logon password. Please take a look
Verification statement:

SQL = "select uname, PWD from uinfo where"
SQL = SQL & "uname = '" & request. Form ("uname ")&"'"
SQL = SQL & "and Pwd = '" & request. Form ("PWD ")&"'"
Rs. Open SQL, Conn, 1, 1
If Rs. EOF or Rs. bof then
Response. Write "sorry, incorrect user name/password! "
Else
Response. Write "Login successful! "
End if

Some readers may have seen that this code is very dangerous, as long as the other party knows the user name.
You can log on. You can enter "'or '1' = '1' in the password box. The principle is very good.
Simple: SQL query statements are used. Note that SQL statements submitted after this method
Changed to: (if the user name is administrator)
Select uname, PWD from uinfo where uname = 'admin' and Pwd = ''or '1' = '1'
If the user name administrator exists, this record can be selected.
Then, you can log on normally.

Solution:

SQL = "select uname, PWD from uinfo where"
SQL = SQL & "uname = '" & request. Form ("uname ")&"'"
Rs. Open SQL, Conn, 1, 1
If Rs. EOF or Rs. bof then
Response. Write "sorry, this site does not have this user! "
Else
If Rs. Fields ("PWD") = trim (request. Form ("PWD") then
Response. Write "Login successful! "
Else
Response. Write "incorrect user name/password! "
End if
End if