ASP Network Security Handbook (1)

Source: www.cpcw.com
A preface
Microsoft Active Server Pages (ASP) is a server-side scripting environment that you can use to create and run dynamic, interactive WEB server applications. Using ASP, you can combine HTML pages, script commands, and ActiveX components to create interactive Web pages and powerful web-based applications.
Now many websites, especially e-commerce sites, in the foreground most of the ASP to achieve. So far, ASP is very common in Web application.
ASP is the rapid development of Web application tools, but some webmasters only see the rapid development capabilities of ASP, but ignore the ASP security issues. ASP from the beginning has been a number of vulnerabilities, backdoor troubles, including%81 nightmare, Password Authentication problems, IIS vulnerabilities and so on have been the ASP Web site developers have the courage to jump.
This article attempts to open the ASP service operating system vulnerabilities and ASP program itself vulnerabilities, elaborated ASP security problems, and give solutions or suggestions.
Two key words
ASP, network security, IIS,SSL, encryption.
Three ASP working mechanism
Active Server Page technology provides an intuitive, fast, and efficient application development tool for application developers, which greatly improves the development effectiveness. Before discussing the security of ASP, let's look at how the ASP works. ASP scripts are written in plaintext (plain text).
An ASP script is a series of files written in a text format that is composed of a script that mixes with standard HTML pages in a specific syntax (currently supports VBScript and JScript two scripting languages). When end users of a client use a Web browser over the Internet to access an ASP-based application, the Web browser makes an HTTP request to the Web server. When the Web server analyzes and determines that the request is an application of ASP script, it automatically invokes the interpretation run engine (ASP.DLL) of the ASP script through the ISAPI interface. Asp. The DLL will get the specified ASP script file from the file system or internal buffer, and then parse and interpret the execution. The resulting processing results will form HTML-formatted content, which is returned to the Web browser via the Web server "original path", resulting in the final rendering of the results by the Web browser on the client. This completes a full ASP script call. Several organic ASP script calls make up a complete ASP script application.
Let's take a look at the environments that are required to run ASP:
Microsoft Internet Information Server 3.0/4.0/5.0 on NT server
Microsoft Internet information Server 3.0/4.0/5.0 on Win2000
Microsoft Personal Web Server on Windows 95/98
Microsoft IIS with WINDOWS NT Option Pack provides powerful functionality, but IIS is more dangerous in terms of network security. Because very few people will use Windows 95/98 when the server, so this article I more from the NT IIS security issues to explore.