Security | Network Source: www.cpcw.com
A preface
Microsoft Active Server Pages (ASP) is a server-side scripting environment that you can use to create and run dynamic, interactive WEB server applications. Using ASP, you can combine HTML pages, script commands, and ActiveX components to create interactive Web pages and powerful web-based applications.
Now many websites, especially e-commerce sites, in the foreground most of the ASP to achieve. So far, ASP is very common in Web application.
ASP is the rapid development of Web application tools, but some webmasters only see the rapid development capabilities of ASP, but ignore the ASP security issues. ASP from the beginning has been a number of vulnerabilities, backdoor troubles, including%81 nightmare, Password Authentication problems, IIS vulnerabilities and so on have been the ASP Web site developers have the courage to jump.
This article attempts to open the ASP service operating system vulnerabilities and ASP program itself vulnerabilities, elaborated ASP security problems, and give solutions or suggestions.
Two key words
ASP, network security, IIS,SSL, encryption.
Three ASP working mechanism
Active Server Page technology provides an intuitive, fast, and efficient application development tool for application developers, which greatly improves the development effectiveness. Before discussing the security of ASP, let's look at how the ASP works. ASP scripts are written in plaintext (plain text).
An ASP script is a series of files written in a text format that is composed of a script that mixes with standard HTML pages in a specific syntax (currently supports VBScript and JScript two scripting languages). When end users of a client use a Web browser over the Internet to access an ASP-based application, the Web browser makes an HTTP request to the Web server. When the Web server analyzes and determines that the request is an application of ASP script, it automatically invokes the interpretation run engine (ASP.DLL) of the ASP script through the ISAPI interface. Asp. The DLL will get the specified ASP script file from the file system or internal buffer, and then parse and interpret the execution. The resulting processing results will form HTML-formatted content, which is returned to the Web browser via the Web server "original path", resulting in the final rendering of the results by the Web browser on the client. This completes a full ASP script call. Several organic ASP script calls make up a complete ASP script application.
Let's take a look at the environments that are required to run ASP:
Microsoft Internet Information Server 3.0/4.0/5.0 on NT server
Microsoft Internet information Server 3.0/4.0/5.0 on Win2000
Microsoft Personal Web Server on Windows 95/98
Microsoft IIS with WINDOWS NT Option Pack provides powerful functionality, but IIS is more dangerous in terms of network security. Because very few people will use Windows 95/98 when the server, so this article I more from the NT IIS security issues to explore.
Four Microsoft's self-proclaimed ASP's security benefits
Although our focus here is on ASP vulnerabilities and backdoor, it is necessary to talk about the "advantages" of ASP in Network security, add a "", because sometimes these Microsoft's alleged "advantage" is precisely its security stealth.
Microsoft said the ASP in the network security aspect one big advantage is that the user cannot see the ASP source program, from the ASP principle, the ASP executes and interprets the standard HTML statement in the service side, then passes to the client browser. "Shielding" the source program can be very good maintenance of the copyright of the ASP developers, imagine you have worked hard to do a very good program, to people arbitrary copy, what would you think? And the hacker can analyze your ASP program, pick out the loophole. More importantly, some ASP developers like to write passwords, privileged username and path directly in the program, so that others by guessing the password, guessing the path, it is easy to find the attack system "entrance." But now we have found a lot of vulnerabilities to see the ASP source program, we have to discuss later.
IIS supports virtual directories, which can be managed by the Directory tab in the Server Properties dialog box. Establishing a virtual directory is very important for managing Web sites. The virtual directory hides important information about the site directory structure. Because in the browser, the customer can easily get the file path information of the page by selecting "View Source code", and if the physical path is used on the Web page, it will expose important information about the site directory, which could easily cause the system to be attacked. Second, as long as two machines have the same virtual directory, you can move the Web page from one machine to another without making any changes to the page code. Also, when you place a Web page in a virtual directory, you can set different properties for the directory, such as Read, Excute, Script. Read access represents the delivery of directory content from IIS to the browser. and executing access enables executable files to be executed within that directory. When you need to use ASP, you must set the directory of your. asp files to "Excute". We recommend that when you set up your Web site, placing HTML files in separate directories with ASP files, and then setting HTML subdirectories to read, and setting ASP subdirectories to "execute", not only facilitates web management, but also enhances the security of ASP programs, Prevents the program content from being accessed by the customer.
