Security ASP vulnerabilities and security recommendations
Bird
A preface
Microsoft Active Server Pages (ASP) is a server-side scripting environment that you can use to create and run dynamic, interactive WEB server applications. Using ASP, you can combine HTML pages, script commands, and ActiveX components to create interactive Web pages and powerful web-based applications.
Now many websites, especially e-commerce sites, in the foreground most of the ASP to achieve. So far, ASP is very common in Web application.
ASP is the rapid development of Web application tools, but some webmasters only see the rapid development capabilities of ASP, but ignore the ASP security issues. ASP from the beginning has been a number of vulnerabilities, backdoor troubles, including%81 nightmare, Password Authentication problems, IIS vulnerabilities and so on have been the ASP Web site developers have the courage to jump.
This article attempts to open the ASP service operating system vulnerabilities and ASP program itself vulnerabilities, elaborated ASP security problems, and give solutions or suggestions.
Two key words
ASP, network security, IIS,SSL, encryption.
Three ASP working mechanism
Active Server Page technology provides an intuitive, fast, and efficient application development tool for application developers, which greatly improves the development effectiveness. Before discussing the security of ASP, let's look at how the ASP works. ASP scripts are written in plaintext (plain text).
An ASP script is a series of files written in a text format that is composed of a script that mixes with standard HTML pages in a specific syntax (currently supports VBScript and JScript two scripting languages). When end users of a client use a Web browser over the Internet to access an ASP-based application, the Web browser makes an HTTP request to the Web server. When the Web server analyzes and determines that the request is an application of ASP script, it automatically invokes the interpretation run engine (ASP.DLL) of the ASP script through the ISAPI interface. Asp. The DLL will get the specified ASP script file from the file system or internal buffer, and then parse and interpret the execution. The resulting processing results will form HTML-formatted content, which is returned to the Web browser via the Web server "original path", resulting in the final rendering of the results by the Web browser on the client. This completes a full ASP script call. Several organic ASP script calls make up a complete ASP script application.
Let's take a look at the environments that are required to run ASP:
Microsoft Internet Information Server 3.0/4.0/5.0 on NT server
Microsoft Internet information Server 3.0/4.0/5.0 on Win2000
Microsoft Personal Web Server on Windows 95/98
Microsoft IIS with WINDOWS NT Option Pack provides powerful functionality, but IIS is more dangerous in terms of network security. Because very few people will use Windows 95/98 when the server, so this article I more from the NT IIS security issues to explore.
Four Microsoft's self-proclaimed ASP's security benefits
Although our focus here is on ASP vulnerabilities and backdoor, it is necessary to talk about the "advantages" of ASP in Network security, add a "", because sometimes these Microsoft's alleged "advantage" is precisely its security stealth.
Microsoft said the ASP in the network security aspect one big advantage is that the user cannot see the ASP source program,
From the principle of ASP, ASP executes and interprets the standard HTML statements in the server and sends them to the client browser. "Shielding" the source program can be very good maintenance of the copyright of the ASP developers, imagine you have worked hard to do a very good program, to people arbitrary copy, what would you think? And the hacker can analyze your ASP program, pick out the loophole. More importantly, some ASP developers like to write passwords, privileged username and path directly in the program, so that others by guessing the password, guessing the path, it is easy to find the attack system "entrance." But now we have found a lot of vulnerabilities to see the ASP source program, we have to discuss later.
IIS supports virtual directories by using the Directory tab in the Server Properties dialog box to
To manage the virtual directory. Establishing a virtual directory is very important for managing Web sites. The virtual directory hides important information about the site directory structure. Because in the browser, the customer can easily get the file path information of the page by selecting "View Source code", and if the physical path is used on the Web page, it will expose important information about the site directory, which could easily cause the system to be attacked. Second, as long as two machines have the same virtual directory, you can move the Web page from one machine to another without making any changes to the page code. Also, when you place a Web page in a virtual directory, you can set different properties for the directory, such as Read, Excute, Script. Read access represents the delivery of directory content from IIS to the browser. and executing access enables executable files to be executed within that directory. When you need to use ASP, you must set the directory of your. asp files to "Excute". We recommend that when you set up your Web site, placing HTML files in separate directories with ASP files, and then setting HTML subdirectories to read, and setting ASP subdirectories to "execute", not only facilitates web management, but also enhances the security of ASP programs, Prevents the program content from being accessed by the customer.
Five ASP vulnerabilities Analysis and solution method
Some people say that a computer that is not connected to the outside is the safest computer, a computer that shuts down all the ports and does not provide any services is also the safest. Hackers often use the ports we open to implement attacks, the most common of which are DDoS (denial of service attacks). Below I will list the ASP's more than 20 vulnerabilities, each with a vulnerability description and workaround.
1 in the ASP program after adding a special symbol, can see the ASP source program
Affected version:
Win95+pws
IIS3.0
98+pws4 There is no such loophole.
There is no such loophole in the version above IIS4.0.
Problem Description:
These special symbols include the decimal point,%81,:: $DATA. Like what:
Http://someurl/somepage.asp.
http://someurl/somepage.asp%81
http://someurl/somepage.asp:: $DATA
http://someurl/somepage.asp%2e
http://someurl/somepage%2e%41sp
http://someurl/somepage%2e%asp
http://someurl/somepage.asp%2e
Http://someurl/msadc/samples/selector/showcode.asp?source=/msadc/samples/../../../../../../boot.ini (You can see the contents of the Boot.ini file)
Then it is easy to see the somepage.asp source program in the IIS3.0 and WIN95+PWS browsing. What is the cause of this terrible loophole? The root of the problem is that Windows NT-specific file systems are doing strange things. People with a little common sense know that a file system that is completely different from FAT is provided in NT: NTFS, a technology called New technology file system makes NT have a higher security mechanism, but it is because it has caused a lot of headaches. As you may not know, NTFS supports a majority stream in a file, and the main data stream that contains all the content is called "data," making it possible to easily capture the script in the file by accessing this feature of the NTFS system directly in the browser. However, the direct result:: $DATA because IIS is having trouble parsing the filename, it does not have a good canonical file name.
Solutions and Recommendations:
If it is a Winodws NT user, installing IIS4.0 or iis5.0,windows2000 does not have this problem. If you are a Win95 user, install WIN98 and PWS4.0.
2 vulnerabilities where ACCESS MDB databases may be downloaded
Problem Description:
When you use Access to do a background database, if someone knows or guesses in various ways
To the path and database name of the server's Access database, then he can download the Access database file, which is very dangerous. For example, if you have an Access database Book.mdb placed in the virtual directory under the database directory, then someone in the browser to enter:
http://Someurl/database/book.mdb
If your Book.mdb database is not encrypted in advance, then all important in the Book.mdb
Data are in the hands of others.
Workaround:
Make a complicated unconventional name for your database file name and put it in a few eyes
Recorded. The so-called "unconventional", for example: there is a database to keep the information about the book, do not put him a "Book.mdb" name, a strange name, such as D34ksfslf.mdb, and then put him in a few layers of/kdslf/i44/studi/, such as the directory, This makes it even harder for hackers to get your Access database files by guessing.
(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:
DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
If you get a source program, your Access database will have a glance in the name. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
Conn.Open "Shujiyuan"
(3) Use Access to encode and encrypt the database files. First in the Select tool-> ann
Full-> encryption/decryption database, select the database (such as: Employer.mdb), and then confirm, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb.
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> Set Database Password" in the menu, and then enter your password.
After you have set a password for Employer1.mdb, then if you use the Accees database file again, Access asks for a password before you can start the database correctly.
However, to add PWD parameters to the Connection object's open method in an ASP program, for example:
Param= "Driver={microsoft
