Vulnerability analysis and hacker intrusion prevention method of ASP website

Author: pizzaviat
Source: Eighth Regiment
How to better achieve the prevention of hacker attacks, I mention personal views! First, the free program does not really have a fee, since you can share the original code, then the attacker can analyze the code. If you pay attention to precautions in detail, your site's security will be greatly improved. Even if there are vulnerabilities such as SQL injection, attackers will not be able to take your site immediately.
Due to the ease of use of ASP, more and more Web site background programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.
1, user name and password is cracked
Attack principle: User name and password, is often the most interesting thing to hackers, if the source code is seen in some way, the consequences are serious.
Prevention Tips: The user name and password procedures are best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.
2. Verification is bypassed
Attack principle: Now need to verify the ASP program is mostly in the page head plus a judgment statement, but this is not enough, there may be hackers bypass the verification of direct access.
Prevention tips: Need to verify the ASP page, you can track the file name of the previous page, only from the previous page into the session to read this page.
3, Inc. file leakage problem
Attack principle: When the ASP's home page is being made and no final debugging is done, it can be added as a search object by some search engine maneuver. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.
Precautions: Programmers should thoroughly debug a Web page before it is released; security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.
4, automatic backup is downloaded
Principle of attack: in some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example: UltraEdit will back up a. bak file, such as you create or modify the some.asp, the editor will automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so some.asp source The order will be downloaded.