Eight rules of Security to prevent ASP Web site Vulnerability intrusion

Source: Internet
Author: User
Tags modify query servervariables sql injection sql injection attack access database client backup
Safety

How to better achieve the prevention of hacker attacks, I mention personal views! First, the free program does not really have a fee, since you can share the original code, then the attacker can analyze the code. If you pay attention to precautions in detail, your site's security will be greatly improved. Even if there are vulnerabilities such as SQL injection, attackers will not be able to take your site immediately. Due to the ease of use of ASP, more and more Web site background programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.

1, user name and password is cracked  

Attack principle: User name and password, is often the most interesting thing to hackers, if the source code is seen in some way, the consequences are serious. Prevention Tips: The user name and password procedures are best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.

2. Verification is bypassed

Attack principle: Now need to verify the ASP program is mostly in the page head plus a judgment statement, but this is not enough, there may be hackers bypass the verification of direct access.

Prevention tips: Need to verify the ASP page, you can track the file name of the previous page, only from the previous page into the session to read this page.

3, inc. file leakage problem

Attack principle: When the ASP's home page is being made and no final debugging is done, it can be added as a search object by some search engine maneuver. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.

Precautions: Programmers should thoroughly debug a Web page before it is released; security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.

4, automatic backup is downloaded

Principle of attack: in some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example: UltraEdit will back up a. bak file, such as you create or modify the some.asp, the editor will automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so some.asp source The order will be downloaded.

Defensive tip: Before uploading a program, check it carefully and delete unnecessary documents. Be especially careful about files that are suffix to bak.

5. Special characters

Attack principle: The input box is a target that the hacker exploits, they can cause damage to the user's client by inputting the scripting language, etc. if the input box involves a data query, they can get more database data, even all of the tables, using special query statements. The input box must therefore be filtered. However, it is possible to bypass the validation of input legality only at the client side to improve efficiency.

Prevention skills: In the processing of similar message boards, BBS, such as input boxes in the ASP program, it is best to shield off HTML, JavaScript, VBScript statements, if no special requirements, you can limit the number of letters and numbers, to block out special characters. The length of the input character is also limited. And not only in the client to enter the legality of the check, but also in the server-side program to do similar checks.

6. Database Download Vulnerability

How it works: When you use Access as a background database, it is dangerous to have someone who knows or guesses the path and database name of the server's Access database in a variety of ways.

Prevention Tips:

(1) Make a complex, unconventional name for your database file name and place it in a few layers of directory. The so-called "unconventional", for example, there is a database to keep the information about the book, but do not give it a "book.mdb" name, but to have a strange name, such as D34ksfslf.mdb, and put it in such as./kdslf/i44/studi/ , so it's even harder for hackers to get your Access database files in a guessing way.

(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:

DBPath = Server.MapPath ("Cmddb.mdb") Conn. Open driver={microsoft Access Driver (*.mdb)};dbq= & DBPath

If you get a source program, your Access database's name is in a glance. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:

Conn.Open "Shujiyuan"

(3) Use Access to encode and encrypt the database files. Select the database (such as: Employer.mdb) in the tools → security → encrypt/decrypt database, and then press OK, then the "Save as after database Encryption" window appears, which can be saved as:

"Employer1.mdb"

Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file. Next we encrypt the database, first open the encoded Employer1.mdb, and when it is open, select Exclusive. Then select the function table "tools → security → Set database Password", and then enter the password. So even if someone gets the Employer1.mdb file, he can't see the contents of Employer1.mdb without a password.

7. Prevent remote injection attack

Such attacks should have been a more common form of attack before, such as post attacks, where an attacker could arbitrarily alter the data values to be submitted for attack purposes. Another example: the counterfeiting of cookies, which is more worthy of the attention of the program writer or webmaster, do not use COOKIES as a way to authenticate users, otherwise you and the key to the thief is the same reason.

Like what:

If trim (Request. Cookies ("uname")) = "Fqy" and Request.Cookies ("upwd") = "fqy#e3i5.com" Then........more ... End If

I think you webmaster or like to write a program of friends do not make such mistakes, is really unforgivable. How many years has it been forged cookies, and you can't blame someone else for running your password. When it comes to user passwords or when a user logs in, you'd better use the session to be the safest. If you want to use cookies to add a message to your cookies, SessionID, its random value is 64 digits, it is impossible to guess it. Cases:

If not (Rs. BOF or rs.eof) thenlogin= "true" session ("username" &sessionid) = usernamesession ("password" & SessionID) = Password ' Response.Cookies ("username") = Username ' Response.Cookies ("Password") = Password

Let's talk about how to protect against remote injection attacks, the general attack is to drag the Tanku submit files to the local, the form action= "chk.asp" Point to the file in your server that handles the data. If all your data filtering is on a single sheet, then congratulations, you will have been attacked by the script. How do you stop a remote attack like this? Okay, see the code is as follows: Program Body (9)

<%server_v1=cstr (Request.ServerVariables ("Http_referer")) Server_v2=cstr (Request.ServerVariables ("SERVER_NAME") ) If Mid (Server_v1,8,len (SERVER_V2)) <> server_v2 thenresponse.write 

Personal feeling the above code filtering is not very good, there are some external submission unexpectedly still can come in upright, so write another. This is the filter effect is very good, recommended use.

If InStr (Request.ServerVariables ("Http_referer"), "http://" &request.servervariables ("host") <1 Then Response.Write An error occurred on the server while processing the URL. If you are using any means to attack the server, then you should be glad that all of your operations have been recorded by the server, we will be the first time to inform the Public Security Bureau and the National Safety department to investigate your IP. "

I thought this would be all right, add some restrictions on the form page, such as maxlength, etc. ... But the weather is so not the case, the more you are afraid of what he came to. You should not forget that an attacker could break the limit of the length of the input box in a SQL injection attack. Write a socket program to change http_referer? I will not, published such an article online:

------------len.reg-----------------Windows Registry Editor Version 5.00[hkey_current_user\software\microsoft\ Internet explorer\menuext\ Extensions (&e)]@= "C:\Documents and settings\administrator\ Desktop \len.htm" "Contexts" =dword:0 0000004----------- End---------------------------------len.htm----------------------------End-----------------------

Usage: First import the Len.reg into the registry (note the file path) and then copy the len.htm to the specified location in the registry. Open the Web page, the cursor on the input box to change the length of the right button, see more than a call to expand the option of the Click to fix! PostScript: The same can be used to deal with those restrictions on the content of the script. What to do? Our restrictions have been spared, and all our efforts have been wasted? No, raise your de keyboard and say no. Let's go back to the filtering of the script characters, and the injection is nothing more than a script attack. We have all the energy to use the page after the action, in the Chk.asp page, we will all the illegal characters filtered out, the result? We only feint in front, ask them to change.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.