Asp.net Website Security Summary

The following uses ASP. NET as an example.

1. SQL injection vulnerability.

Solution: use stored procedures. Do not splice parameters with strings. Simple Improvement Method: Use sqlhelper and oledbhelper

2. Cross-Site Scripting

Solution: the Policy "disabled by default, explicitly allowed. For more information, see request. Form values detected by the client. Do not submit HTML tags (such as <> converted to <)

3. Upload Vulnerability

Solution: prohibit the operation permission of the upload directory. Only the read permission is granted. In addition, upload of illegal files is prohibited. Not only the aspx type, but also many htm and HTML files, should not be uploaded and saved directly.

4. database connection account. Try to use the account with the lowest permissions. Do not grant administrator permissions.

If the hacker knows the password of the database.
Then we can execute any system command.
Example: xp_cmdshell 'dir c :\'
In addition
Tasklist
Taskkill
Pslist
Pskill
Net user
Net user guest/active: Yes
Net user hack/Add
Net user hack/del
Net localgruop administrators hack/Add
Query user
Logoff 1
Are these commands terrible? Haha. Therefore, do not grant the WEB database connection account management permission.

5. Log On As a user. Here, do not store the user identity in plain text in cookies to identify whether the user is logged on. Because cookies can be modified. See here to modify the cookie and impersonate another user. NC httpwatch uses video tutorials. It is generally enough to use Microsoft forms for authentication and role.

6. If the websiteProgramBe careful when using read/write files, because the read operations may be exploited by hackers. For example, you can use An ASPX file to view images to read the web. config to generate a Trojan using the production template function.

7. Make full use of the verification code. If a user logs on to the website, comments, or other places where spam information may be submitted, a verification code must be used and a secure verification code must be provided. In order to prevent brute-force cracking and prevent websites from being full of junk data.

8,CodeTo be rigorous, modify user data and modify user data must be associated with the user. For example, Update News set Title = 'new title' where id = News number. A restriction is added here: userid = user ID, which prevents a person from modifying others' news.

9. Disable the error display in Web. config. <Customerrors mode = "remoteonly" defaultredirect = "404. aspx"> </customerrors>

The above are program-related security issues. You can write them wherever you think of them. There is no system arrangement.

In addition, server security issues are also mentioned.

1. Enable Windows Firewall and disable unused ports. This is the most important thing. That is to say, the fewer services you provide, the more secure your server will be.

2. Set a secure password. Complexity must reach a certain level. Change the password periodically. Do not disclose the password to others, including the IDC administrator. If necessary, inform the IDC personnel that the password will be changed immediately after the IDC personnel use up the password.

3. Install the arpfirewall. There are many ARP viruses in the IDC. If the ARP virus is detected, attackers may not be able to browse the website, and Trojans may follow. In severe cases, the entire website and data center are disconnected.

4. install anti-virus software properly. (Norton, coffee)

5. Disable unused services in IIS, such as ASP support and Disabled services such as FTP, SMTP, and POP3, and modify the root directory of the website. Set directory permissions.

6. There are different countermeasures for various attacks, such as CC attacks. Once upon a time, five machines with consecutive IP addresses in Shenzhen launched CC attacks on one of my video stations, leading to a very slow website opening. At first, we did not know it was under attack, I think the program has vulnerabilities and keeps searching for program problems. Later, through the server security management software, it was found that these IP addresses were at fault, the "Local Security Policy" method mentioned in several methods used by webmasters to block IP Access will block these five IP addresses and then the server will return to normal and the website will return to its previous speed.

Common commands: iisapp-a, netstat-Nao, tasklist, and telnet port XXX. XXX

7. Do not use the default port for remote management software. Although the password may be cracked by brute force and cannot be guessed, there are always boring attempts. This causes a pile of junk information in the log. No one attempts to crack the password after the port is modified. Because he does not know what the port is. Speaking of this, I think that if you want to disable unused services, will the server be enabled? It must be started. No one can use it if it is not started. Here, we can set a limit. For example, if my SMTP service is only available on the local machine, I will disable port 25 from the firewall, if my SQL Server is only used by the local machine. So I also disable port 1433 from the firewall. In this way, the external database cannot be connected and there is no brute force password cracking. Windows Firewall can also open a port for an IP address. It is still relatively powerful.

I have talked a bunch of things above, hoping to help webmasters and programmers. You can add QQ: 4111852 for communication. I am very welcome.

Finally, let's talk about the solution to the problem:

1. Back up the database and other data.

2. Delete all programs, including directories, to ensure that no files are left with backdoors.

3. If possible, check the server security to ensure that no backdoors are created on the server, such as a super account or a backdoor Trojan is installed. In this case, it is useless to modify your program. People can modify your program at any time.

4、upload a static file test.html to another website user to check if there are Trojans to eliminate network problems.

5. If no network problem occurs in Step 4, check whether the file is infected with a Trojan, delete all programs, upload your own secure backup, recover data, and check the database, make sure that the trojan is not in the database.

6. Check IIS logs to see who has logged on to the background. For details, see the IIS log analysis video tutorial.

The idea is messy. Let's take a look.