Eight rules against ASP Web site vulnerabilities

How to better achieve the prevention of hacker attacks, I mention personal views! First, the free program does not really have a fee, since you can share the original code, then the attacker can analyze the code. If you pay attention to precautions in detail, your site's security will be greatly improved. Even if there is a loophole like sqlinjection, it is impossible for an attacker to take your site immediately.
　　
Due to the ease of use of ASP, more and more Web site background programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided
　　
　　 1, user name and password is cracked
　　
Attack principle: User name and password, is often the most interesting thing to hackers, if the source code is seen in some way, the consequences are serious. Prevention Tips: The user name and password procedures are best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.
　　
　　 2. Verification is bypassed
　　
Attack principle: Now need to verify the ASP program is mostly in the page head plus a judgment statement, but this is not enough, there may be hackers bypass the verification of direct access.
　　
Prevention tips: Need to verify the ASP page, you can track the file name of the previous page, only from the previous page into the session to read this page.
　　
　　 3, inc. file leakage problem
　　
Attack principle: When the ASP's home page is being made and no final debugging is done, it can be added as a search object by some search engine maneuver. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.
　　
Precautions: Programmers should thoroughly debug a Web page before it is released; security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.
　　
　　 4, automatic backup is downloaded
　　
Principle of attack: in some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example: UltraEdit will back up a. bak file, such as you create or modify the some.asp, the editor will automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so some.asp source The order will be downloaded.
　　
Defensive tip: Before uploading a program, check it carefully and delete unnecessary documents. Be especially careful about files that are suffix to bak.
　　
　　 5. Special characters
　　
Attack principle: The input box is a target that the hacker exploits, they can cause damage to the user's client by inputting the scripting language, etc. if the input box involves a data query, they can get more database data, even all of the tables, using special query statements. The input box must therefore be filtered. However, it is possible to bypass the validation of input legality only at the client side to improve efficiency.
　　
Prevention skills: In the processing of similar message boards, BBS, such as input boxes in the ASP program, it is best to shield off HTML, JavaScript, VBScript statements, if no special requirements, you can limit the number of letters and numbers, to block out special characters. The length of the input character is also limited. And not only in the client to enter the legality of the check, but also in the server-side program to do similar checks.
　　
　　 6. Database Download Vulnerability
　　
How it works: When you use Access as a background database, it is dangerous to have someone who knows or guesses the path and database name of the server's Access database in a variety of ways.
　　
Prevention Tips:
　　
(1) Make a complex, unconventional name for your database file name and place it in a few layers of directory. The so-called "unconventional", for example, there is a database to keep the information about the book, but do not give it a "book.mdb" name, but to have a strange name, such as D34ksfslf.mdb, and put it in such as./kdslf/i44/studi/ , so it's even harder for hackers to get your Access database files in a guessing way.
　　
(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:
　　
Dbpath=server.mappath ("Cmddb.mdb")
Conn. Open "Driver={microsoftaccessdriver (*.mdb)};dbq=" &dbpath
　　
If you get a source program, your Access database's name is in a glance. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:
　　
Conn.Open "Shujiyuan"
　　
(3) Use Access to encode and encrypt the database files. First in the "tools → security → encryption/decryption database," Select the database (such as: Employer.mdb), and then press OK, then the "Database encryption Save as" window, can be saved as: "Employer1.mdb."
　　
Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
　　
Next we encrypt the database, first open the encoded Employer1.mdb, and when it is open, select Exclusive. Then select the function table "tools → security → Set database Password", and then enter the password. So even if someone gets the Employer1.mdb file, he can't see the contents of Employer1.mdb without a password.
　　
　　 7. Prevent remote injection attack
　　
Such attacks should have been a more common form of attack in the past, post attacks, for example, allow an attacker to arbitrarily change the data value to be submitted for the purpose of the attack. Another example: The forgery of cookies, which is more worthy of the attention of the program writer or webmaster, do not use cookies as a way to authenticate users, Otherwise you and the key to leave the thief is the same reason.
　　
Like what:
　　
Iftrim (Request.Cookies ("uname")) = "Fqy" andrequest.cookies ("upwd") = "fqy#e3i5.com" Then
... more ..........
Endif
　　
I think you webmaster or like to write a program of friends do not make such a mistake, is really unforgivable. How many years have you been faking cookies, and you can't blame someone else for running your password. When it comes to user passwords or when a user logs in, You'd better use the session it's the safest. If you want to use cookies to add a message to your cookies, SessionID, its random value is 64 digits, it is impossible to guess it. Example: