Home > Developer > ASP

Experience in design of security and stability design for ASP

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Security | security | Design I was in the process of the program born, at that time the Internet full of that is the example of hackers attack the rivers and lakes. At that time was still a rookie and

Webmaster's I was suffering, maybe some of the experience below is not too high-tech content, but if underestimated

It could be a terrible death.

1.sql Injection Vulnerability I think some people have seen the introduction on some websites. Yes, please keep going. Don't understand to stay

Just send [I developed a large commercial platform ...] Brother, (please don't throw anything at me)

His site design is not a bad feeling. But there is a fatal weakness.

is when I enter

User name: admin

Password: ' or ' = '

, you can go directly into his system, but not admin permissions, (miscalculation one, one!)

However, this reflects a problem, in a system design should not appear without knowing the password can enter the personal account

phenomenon, but it does appear. What's the reason?

This is true for general user checksums.

Rs.Open "SELECT * from UserData where name= '" &name& "' and pass= ' &pass& '"

We must all know how to use this statement.

But if you merge the username and password that I just had,

This SQL statement is

Rs.Open "SELECT * from UserData where name= ' admin ' and pass= ' or ' = '"

We must be able to see what's going on.

The solution is to "convert"

If you think you're just going to be able to access the code, it's wrong.

If the user name is any password is
' or ' = ';d elete * from userdata where ' = '

After merging everyone to think about it ~ ~ ~, there are more malicious not to write online

Sadly, I am looking for ASP on the Web site, there are 70% of such loopholes, do not know is the quality is not, or I

"Luck" is too good.

--------------------------------------
Message board and information release

That's a little more than that, at least you can keep your data.

The general design of the message board are directly using this mode

Save: Rs ("memo") = form submission Information
Fetch: <%=rs ("Memo")%>

There's nothing wrong with feeling like this.

But if I enter the following code in the message page ~
<script language= "JavaScript" >while (True) {window.open ("A bomb program holds address/bomb.htm", "", "Fullscreen=yes,status=no , Scrollbars=no,resizable=no ");} </script>
Do not know you will not be very cool ~ ~ ~.
Or connect to a sex and call the relevant department to check to get you killed.
Even when you're on the news, you get shot directly and you can't see his message.

This time it's going to work.

Function HTMLEncode (fstring)
If not IsNull (fstring) Then
Dim Bwords,ii
fstring = replace (fstring, ">", ">")
fstring = replace (fstring, "<", "<")

fstring = Replace (fstring, CHR (32), "")
fstring = Replace (fstring, CHR (9), "")
fstring = Replace (fstring, CHR (34), "" ")
fstring = Replace (fstring, CHR (39), "'")
fstring = Replace (fstring, CHR (13), "")
fstring = Replace (fstring, CHR (a) & CHR (a), "</P><P>")
fstring = Replace (fstring, CHR (), "<BR>")

End Function
This function can display the HTML code entered by the user as it is, rather than executing it directly.
-------------------------------------
FSO picture upload. There are few people who have made this mistake, but they don't mean no.
The extension is not restricted when uploading pictures.

For example, I send an ASP of the FSO Trojan or through the shell to execute the program. and other ways, you can completely manipulate the clothing

Service device

I don't know how many websites have this loophole.

Now on the Internet has the program download Dalian port, I must know how he came, (its maintenance personnel also the entire program to play rar, easy to download)

Sadly, most of the errors are government websites, and state-run websites. Look at the qualifications and relationship with the personnel

Serious. Irresponsible. The people who goof around are working in the office, but the real technology is not necessarily the day.

-------------------------------
Do not know what else, temporarily did not think of it, mainly these few grasp good general people can not be black, if through 139 or

445 changed your site, but it's not a favor I can help.



This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More