Because of the ease and ease of use of ASP, more and more Web site daemon programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.
1, username and password cracked
attack principle: User name and password, often the most interesting thing for hackers, if the source code is seen in some way, the consequences are serious.
Prevention Tips: Programs that involve user names and passwords are best encapsulated on the server side, as little as possible in ASP files, and the user name and password associated with the database should be given minimal permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.
2, validation is bypassed
Attack principle: Now need to verify the ASP program is mostly in the page to add a judgment statement, but this is not enough, there may be hackers bypass the validation of direct access.
Precautions: You need a validated ASP page that tracks the file name of the previous page, and only the session from the previous page can read the page.
3, inc file Leak
Attack principle: When an ASP's home page is being manufactured and no final debugging is completed, some search engine maneuvers can be appended as search objects. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.
Defensive Tip: Programmers should thoroughly debug a Web page before it is published, and security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.
4, automatic backup is downloaded
Principle of attack: in some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example: UltraEdit will back up a. bak file, such as you create or modify the some.asp, the editor will automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so some.asp source The order will be downloaded.
Defensive tip: Before uploading a program, check it carefully and delete unnecessary documents. Be especially careful about files that are suffix to bak.
5. Special characters
Attack principle: The input box is a target that the hacker exploits, they can cause damage to the user's client by inputting the scripting language, etc. if the input box involves a data query, they can get more database data, even all of the tables, using special query statements. The input box must therefore be filtered. However, it is possible to bypass the validation of input legality only at the client side to improve efficiency.
Prevention skills: In the processing of similar message boards, BBS, such as input boxes in the ASP program, it is best to shield off HTML, JavaScript, VBScript statements, if no special requirements, you can limit the number of letters and numbers, to block out special characters. The length of the input character is also limited. And not only in the client to enter the legality of the check, but also in the server-side program to do similar checks.
6. Database Download Vulnerability
How it works: When you use Access as a background database, it is dangerous to have someone who knows or guesses the path and database name of the server's Access database in a variety of ways.
Prevention Tips:
(1) Make a complex, unconventional name for your database file name and place it in a few layers of directory. The so-called "unconventional", for example, there is a database to keep the information about the book, but do not give it a "book.mdb" name, but to have a strange name, such as D34ksfslf.mdb, and put it in such as./kdslf/i44/studi/ , so it's even harder for hackers to get your Access database files in a guessing way.
(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:
DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open driver={microsoft Access Driver (*.mdb)};dbq= & DBPath
If you get a source program, your Access database's name is in a glance. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
Conn.Open "Shujiyuan"
(3) Use Access to encode and encrypt the database files. First in the "tools → security → encryption/decryption database," Select the database (such as: Employer.mdb), and then press OK, then the "Database encryption Save as" window, can be saved as: "Employer1.mdb."
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
Next we encrypt the database, first open the encoded Employer1.mdb, and when it is open, select Exclusive. Then select the function table "tools → security → Set database Password", and then enter the password. So even if someone gets the Employer1.mdb file, he can't see the contents of Employer1.mdb without a password.
7. Prevent remote injection attack
Such attacks should have been a more common form of attack in the past, post attacks, for example, allow an attacker to arbitrarily change the data value to be submitted for the purpose of the attack. Another example: The forgery of COOKIES, which is more worthy of the attention of the program writer or webmaster, do not use COOKIES as a way to authenticate users, Otherwise you and the key to leave the thief is the same reason.
Like what:
If trim (Request. Cookies ("uname")) = "Fqy" and Request.Cookies ("upwd") = "fqy#e3i5.com" Then
... more ..........
End If
I think you webmaster or like to write a program of friends do not make such a mistake, is really unforgivable. How many years have you been faking cookies, you can't blame someone else for running your password. When it comes to user passwords or when users log in, you'd better use session It's the safest. If you want to use cookies to add a message to your cookies, SessionID, its random value is 64 digits, to guess it, impossible. Example:
If not (Rs. BOF or rs.eof) then
Login= "true"
Session ("username" &sessionid) = Username
Session ("Password" & sessionID) = password
' Response.Cookies ("username") = Username
' Response.Cookies ("Password") = Password
Now let's talk about how to protect against remote injection attacks, the general attack is to drag the Tanku commit file to the local, the form action= "chk.asp" point to your server to process the data file. If all your data filters are on a single sheet, then congratulations, you will have been attacked by the script.
How can we stop such a remote attack? Okay, see the code is as follows: Program Body (9)
<%
Server_v1=cstr (Request.ServerVariables ("Http_referer"))
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME"))
If Mid (Server_v1,8,len (SERVER_V2)) <> Server_v2 Then
Response.Write "
Response.Write ""
Response.Write "You submitted the wrong path, prohibit the submission of data from outside the site please do not change the parameters!" "
Response.Write "
"
Response.End
End If
%>
' Personal feeling the above code filtering is not very good, there are some external submission unexpectedly still can come in upright, so write another.
' This is a good filtration effect and is recommended for use.
If InStr (Request.ServerVariables ("Http_referer"), "http://" &request.servervariables ("host") <1 Then Response.Write An error occurred on the server while processing the URL.
If you are using any means to attack the server, then you should be glad that all of your operations have been recorded by the server, we will be the first time to inform the Public Security Bureau and the National Safety department to investigate your IP. "
Response.End
End If
Program Body (9)
I thought this would be all right, add some restrictions on the form page, such as MaxLength, etc... But the weather is so not the case, the more you are afraid of what he is more and more. You don't forget that an attacker could limit the length of the input box in an SQL injection attack. Write a socket program to change the Http_referer? I won't. Published on the internet such an article:
------------Len.reg-----------------
Windows Registry Editor Version 5.00
[hkey_current_user\software\microsoft\internet explorer\menuext\ Extension (&e)]
@= "C:\Documents and settings\administrator\ desktop \len.htm"
"Contexts" =dword:00000004
-----------End----------------------
-----------len.htm------------------
----------End---------------------
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
