ASP Vulnerability Overview

Microsoft Active Server Pages (ASP) is a server-side scripting environment that allows you to create and

Run dynamic and interactive web server applications. Using ASP, you can combine HTML pages, script commands, and

ActiveX components to create interactive web pages and web-based powerful applications.
At present, many websites, especially e-commerce websites, are mostly implemented using ASP at the front-end. So now ASP

It is widely used in website applications.
ASP is a quick tool for developing website applications, but some website administrators only see ASP's quick development capabilities, but suddenly

According to ASP security issues. ASP has been plagued by many vulnerabilities and backdoors since the beginning, including % 81's nightmare and password

Code verification issues, IIS vulnerabilities, and so on have always been shocking to ASP Website developers.
This article attempts to describe ASP security issues by opening ASP service operating system vulnerabilities and ASP program vulnerabilities.

Provide solutions or suggestions.

ASP Working Mechanism

The Active Server Page technology provides application developers with intuitive, fast, and efficient script-based application development.

And greatly improve the development effect. Before discussing ASP security issues, let's take a look at how ASP

It works. ASP scripts are written in plain text.

ASP scripts are written in a series of script languages based on specific syntax (VBScript and JScript are currently supported ).

Text format files composed of scripts that are mixed with standard HTML pages. When the end user of the client uses Web tracking

When the browser accesses an ASP-based application over the Internet, the Web browser sends an HTTP request to the web server.

. After the Web server analyzes and determines that the request is an ASP script application, it automatically calls the ASP script through the ISAPI

(Asp. dll ). ASP. dll obtains the specified ASP script file from the file system or the internal buffer.

And then perform the syntax analysis and interpretation. The final processing result will form HTML content, through the Web

The server "original path" is returned to the web browser, which forms the final result presentation on the client. This completes

Complete ASP script call. Several Organic ASP script calls constitute a complete ASP script

.
Let's take a look at the environment required to run ASP:
Microsoft Internet Information Server 3.0/4.0/5.0 on NT Server
Microsoft Internet Information Server 3.0/4.0/5.0 on win2000
Microsoft Personal Web server on Windows 95/98
Microsoft IIS in Windows NT Option Pack provides powerful functions, but IIS is in network security

It is dangerous. Because Windows 95/98 is rarely used as a server

To discuss IIS security issues in NT.

Security advantages of ASP claimed by Microsoft

Although this article focuses on ASP vulnerabilities and backdoors, it is necessary to talk about ASP's advantages in network security.

", The reason for adding" "is that sometimes these" advantages "claimed by Microsoft are precisely their security vulnerabilities. Microsoft

One of the major advantages of network security is that users cannot see the source program of ASP,
According to the principle of ASP, ASP executes and interprets Standard HTML statements on the server end, and then transmits them to the client browser.

. "Shield" the source program can well maintain the copyright of ASP developers. Imagine that you have worked hard to develop a very good process.

What do you think about the order? Moreover, hackers can analyze your ASP program and pick out vulnerabilities. More importantly

Some ASP developers like to write passwords, privileged user names, and paths in the program, so that others can guess

Password and guess the path. It is easy to find the "ENTRANCE" of the Attack System ". However, many ASP source processes can be viewed

Vulnerabilities in sequence will be discussed later.
IIS supports virtual directories. You can manage virtual directories by clicking the "directory" tab in the "server properties" dialog box. Create

Virtual directories are of great significance for managing web sites. The virtual directory hides the duplicates of the site directory structure.

Information. In the browser, you can easily obtain the file path of the page by selecting "View Source Code ".

Path information. If a physical path is used on a web page, important information about the site directory is exposed, which may easily lead

Attack. Second, as long as the two machines have the same virtual directory, you can

In case of any changes, the web page is moved from one machine to another. Also, when you change the web page

After being placed in a virtual directory, you can set different attributes for the directory, such as read, excute, and script. Read

Access means to pass the directory content from IIS to the browser. The execution access enables the execution of executable

File. When you need to use ASP, you must set the directory of Your. asp file to "excute (execution )".

When setting up a web site, we recommend that you separate HTML files from ASP files and place them in different directories.

Set the HTML subdirectory to "read" and the ASP subdirectory to "execute", which not only facilitates web management, but also

The most important thing is to improve ASP program security and prevent the program content from being accessed by the customer.

ASP Vulnerability Analysis and Solution

Some people say that a computer that does not contact the outside is the safest computer. One computer closes all ports and does not provide any services.

The computer is also the safest. Hackers often use open ports to launch attacks. The most common attacks are:

DDoS (denial of service attack). Below I will list more than 20 ASP vulnerabilities, each of which has a vulnerability description and

Solution.

1. Add a special symbol after the ASP program to see the ASP source program.

Affected Versions:
Win95 + PWS
Iis3.0
98 + pws4 does not have this vulnerability.
This vulnerability does not exist in iis4.0 or later versions.
Problem description:
These special symbols include the decimal point, % 81, and: data. For example:
Http: // someurl/somepage. asp.
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/somepage. asp.
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Continue access cancel access http: // someurl/somepage. asp % 81
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/somepage. asp: Data
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/somepage. asp % 2e
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/somepage % 2e % 41sp
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Continue access cancel access http: // someurl/somepage % 2e % ASP
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/somepage. asp % 2e
Http: // someurl/MSADC/samples/selector/Showcode. asp?
The website is out of the scope of this site and cannot be determined whether the website is secure
Continue access cancel access http: // someurl/MSADC/samples/selector/Showcode. asp?

Source =/MSADC/samples/.../../boot. ini (you can see the content of the boot. ini file.

)
The source program of somepage. asp is easy to see during the browsing of iis3.0 and Win95 + PWS installed. Exactly

What causes this terrible vulnerability? The root cause is that the file system specific to Windows NT is working on

Strange. People with a little knowledge know that NT provides a file system completely different from fat: NTFS, which

Known as the new technology file system technology, NT has a high security mechanism, but it is precisely because it produces

It has given rise to many headaches. As you may not know, NTFS supports multiple data streams contained in a file.

The main data stream that contains all the content is called "data", so that you can directly access

This feature of the NTFS system makes it possible to easily capture script programs in files. However

: The reason for data is that IIS fails to parse the file name, and it does not properly regulate the file name.

Solution and suggestions:

If you are a winodws NT user, install iis4.0 or iis5.0. Windows2000 does not have this problem. If yes

For Win95 users, install WIN98 and pws4.0.

2. Access mdb database download Vulnerability

Problem description:
When using access as the background database, if someone knows or guessed the number of access requests on the server through various methods

It is very dangerous to download the ACCESS database file based on the database path and database name.

For example, if your Access Database book. mdb is stored in the database directory under the virtual directory

Enter in the browser:
Http ://
The website is out of the scope of this site and cannot be determined whether the website is secure
Cancel http: // someurl/database/book. MDB
If your book. mdb database is not encrypted in advance, all the important data in book. mdb is different.

In the hands of people.

Solution:

(1) create a complex and unconventional name for your database file name and put it under several directories. The so-called "very

For example, if a database stores information about books

Book. mdb, such as d34ksfslf. MDB.

For example, in the directory of./kdslf/i44/studi/, hackers want to obtain your access data by guessing.

Library files are hard to parse.

(2) do not write the database name in the program. Some people like to write DSN in a program, such:
Dbpath = server. mappath ("analytic dB. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath
If you get the source program, your access database name will be displayed at a glance. Therefore, we recommend that you

And write conn. Open "shujiyuan" in the program"

(3) Use Access to encode and encrypt database files. Choose "Tools"> "security"> "encrypt/decrypt Database ".

Select the database (for example, employer. mdb), and then click OK. Then, "Save the database encrypted and saved as" appears"

And save as: employer1.mdb. Then employer. mdb will be encoded and stored

The above actions are not used to set a password for the database, but only for the database

To prevent others from using other tools to view the contents of database files.
Next, we encrypt the database. First, we open the encoded employer1.mdb"

Exclusive mode. Choose tools> Security> set database password from the menu, and enter the password. Is

After the password is set for employer1.mdb, if the accees database file is used again, access will first

Enter the password to start the database. However, the connection object in the ASP program

Add the PWD parameter to the open method, for example:
Param = "driver = {Microsoft Access Driver (*. mdb)} WD = yfdsfs"
Param = Param & "; DBQ =" & server. mappath ("employer1.mdb ")
Conn. Open Param
In this way, even if someone else gets the employee 1.mdb file, he cannot see the employee 1.mdb without a password.

3 code. asp files may leak ASP code

Problem description:
For example, there is a. asp file in the asp1.0 routine provided by Microsoft, which is used to view

Source code of other. asp files. The file is aspsamp/samples/code. asp. If someone puts this program

Upload to the server. If the server has no preventive measures, it can easily View others' programs.

. For example:
Code. asp? Source =/directory/file. asp
However, this is an old vulnerability, and it is believed that this vulnerability will rarely occur.
The following command is relatively new:
Http: // someurl/iissamples/ExAir/... n/soushuo. asp = xxx.

SP
The biggest harm is that the ASA file can be read in the above way. The database password is exposed in plaintext to hackers.

;

Solution or suggestion:

For the ASP program file of show ASP code that comes with IIS, delete the file or disable access to the directory.

4. FileSystemObject component tampering to download any files in the FAT partition

Problem description:
Iis3 and IIS4 ASP file operations can all be implemented through FileSystemObject, including text files

File read/write directory operations, file copy renaming and deletion, but this powerful function also leaves a very dangerous

"Backdoor ". Filesystemobjet can be used to tamper with any file on the FAT partition. Even NTFS

Partition. If permissions are not set, they can also be damaged. If you are not careful, you may suffer a "Disaster Tolerance ".

Unfortunately, many webmasters only know how to run the Web server and seldom Set NTFS permissions.

And the default settings of the NT directory permission are only less secure and terrible. Therefore, if you are a webmaster

I suggest you pay close attention to the server settings and try to build the web directory on the NTFS partition. Do not set the directory.

Everyone full control, even Members in the Administrator group do not need full control,

Read and Change permissions are sufficient. You can also delete or rename the FileSystemObject component.

5. Entering standard HTML or Javascript statements will change the output result.

Problem description:
What are the results of entering standard HTML statements in the input box?
For example, in a message book, we enter:
Hello!
If HTML statements are not blocked in your ASP program, the font size of "hello" is changed. In the message book

Changing the font size and texture is sometimes not a bad thing, but can make the message book vivid. However, if

Enter an endless Javascript loop in the dialog box, for example, ultra-large news.
If you move the mouse to the "super news" page, the browser will be suspended.

And die.

Solution and suggestions:

When writing similar programs, you should take precautions against such operations. For example, you can write a program to judge the input of the client,

And shield all HTML and javascrip [/post]