ASP Network Programming Security Guide (SQL Injection)

Author: Feng Qingyang Source: egeneration V4
In recent times, network attacks have become more prevalent, and many sites have been hacked or even replaced by the home page for no reason. Most websites are attacked because of vulnerabilities in website programs. attackers can gain webshells to gain higher server host permissions. However, the way to obtain WebShell is concentrated on the SQL Injection attack method. What is SQL injection attacks? From the official explanation: When an application uses the input content to construct dynamic SQL statements to access the database, SQL injection attacks will occur. If the Code uses stored procedures, which are passed as strings containing unfiltered user input, SQL injection attacks will also occur. SQL injection may allow attackers to log on to the database using applications to execute commands. This problem can become very serious if applications connect to the database using a privileged account. In other words, SQL injection attacks use vulnerable data access code and allow attackers to execute arbitrary commands in the database. If the application uses unrestricted accounts in the database, attackers can execute queries and commands more freely, resulting in greater threats. It is worth noting that traditional security measures (such as using SSL and IPSec) cannot prevent SQL injection attacks.
 

Common vulnerabilities that make data access code vulnerable to SQL injection attacks include

· Weak input verification

· Dynamically construct SQL statements without using type-safe Parameters

· Log on to a database with excessive privileges

To cope with SQL injection attacks, be sure:

· Restrict and purify input data

· Use type-safe SQL parameters for data access. These parameters can be used together with stored procedures or dynamically constructed SQL command strings. Parameter execution type and length check, and make sure that the code injected into the database is considered as text data (rather than executable statements ).

· Use accounts with limited permissions in the database. Ideally, only the execution permission should be granted to the selected stored procedure in the database, and the direct table access permission is not provided.

· Verify the type, length, format, and range of the input content. Do not accept numeric values if you do not want them. Consider where the input comes from. If it comes from a trusted source and you know that you have performed thorough input verification on the source, you can choose to ignore data verification in the data access code. If data comes from untrusted sources or is used for deep defense, data access methods and components should verify the input.
To sum up.

How to effectively prevent SQL Injection attacks has become the focus of security protection: This article reposted the source of egeneration time E3i5.com

Because ASP is easy to learn and universal, many sites have chosen to use ASP to build their own Web sites. ASP is a script-level programming language, which is VBScript or javascript. More sites use VBScript scripts as the foundation for writing. However, unfortunately, VBScript requires much loose exception capture (Debug) and data type declaration than javascript, with no mandatory requirements, this brings convenience and potential risks. (Due to the habits of Some programmers, when using VBScript to write ASP programs, we often ignore exception capture (Debug) and Data Type declarations) therefore, in terms of preventing WEB injection attacks, it seems "more than enough ". Back to our topic: when talking about SQL Injection, we first came up with a look for Injection points. In many cases, Web injection is based on ASP request objects.

Quote: Example (1): http: // target/index. asp? Id = 10

The first step to prevent SQL injection attacks is to use various security measures to monitor the ASP request object (Request, Request. queryString, Request. form, Request. cookies and requests. serverVariables) to ensure the reliability of SQL commands. Like other ASP request objects (Reques, Request. queryString, Request. form, Request. cookies and requests. serverVariables) user input attack methods are generally concentrated on the expected input variable of the script is a digital variable (ID) (Example 1 ), of course, we can't just look at digital variables: This article reposted the source of egeneration time E3i5.com

Quote: Example (2): http: // target/index. asp? Username = elegant

For example, the variables referenced in example (2) are passed as string variables.
Variables are transmitted by URL in either of the above two ways. First, it is a numeric variable; second, it is a string variable. The SQL Injection vulnerability occurs mainly because of the programmer's negligence and carelessness. If it is not filtered out or not strictly filtered, it will leave it to attackers for attack. The following describes how to prevent them:
· Proactively protect the source of this article from egeneration time E3i5.com
What is proactive protection? Active protection does not filter illegal strings, but actively provides a range of string input to prevent SQL Injection attacks. Many websites start with filtering ASP request objects, and only passively filtering known attack characters. For example, the following program: program block (1)

Quote: function HTMLEncode (Str)
 

Str = replace (Str ,";",";")

Str=server.html encode (Str)

Str = replace (Str ,"","")

Str = replace (Str ,"--","--")

Str = replace (Str ,"","")

Str = replace (Str, vbCrlf ,"
")

HTMLEncode = Str

End function

 

The above program blocks