Prevent intrusion: Eight rules prevent ASP Website Vulnerabilities

Source: Internet
Author: User

I personally comment on how to better prevent hacker attacks! First, free programs should not be used for free. Since you can share the original code, attackers can analyze the code. If you take precautions for the details, the security of your site will be greatly improved. Even if an SQL injection vulnerability occurs, attackers cannot immediately win your website.

Because ASP is easy to use, more and more website background programs use ASP scripting language. However, due to some security vulnerabilities in ASP, hackers may be given a chance to seize the opportunity. In fact, security is not only a matter of network management. programmers must also pay attention to some security details to develop good security habits. Otherwise, they will bring huge security risks to their websites. At present, ASP programs on most websites have such security vulnerabilities. However, if you pay attention to programming, you can avoid them.

1. username and password cracked

Attack principle: username and password are often the most interesting things of hackers. If the source code is seen in some way, the consequences are serious. Prevention Tips: programs involving user names and passwords are best encapsulated on the server end and appear in ASP files as few as possible. Users and passwords involving database connections should be given the minimum permission. Usernames and passwords that appear frequently can be written in concealed include files in one location. If it involves connecting to a database, you can only grant it the permission to execute the stored procedure. do not grant the user the permission to modify, insert, or delete records directly.

2. Verification bypassed

Attack principle: currently, most ASP programs that need to be verified are added with a judgment statement in the header of the page, but this is not enough. hackers may bypass the verification and directly access the site.

Defense tips: For an ASP page that requires verification, you can trace the file name of the previous page. Only sessions that are transferred from the previous page can read this page.

3. inc file Leakage

Attack principle: When an ASP homepage is being created without final debugging, it can be automatically appended as a search object by some search engines. If someone uses the search engine to search for these webpages, the relevant files will be located, and the database location and structure details can be viewed in the browser to reveal the complete source code.

Defense tips: programmers should thoroughly debug the web page before it is published; security experts need to reinforce ASP files so that external users cannot see them. First, encrypt the. inc file content, and then use the. asp file instead of the. inc file so that users cannot directly view the source code of the file from the browser. Do not use a default name or a name that is easily guessed by users with special meanings for the name of an inc file. Try to use letters without rules.

4. Automatic Backup is downloaded

Attack principle: in some ASP program editing tools, when an ASP file is created or modified, the editor automatically creates a backup file. For example, ultraedit backs up one file. bak file. If you have created or modified some files. ASP, the editor automatically generates a file called some. ASP. bak file. If you have not deleted this Bak file, attackers can directly download some. ASP. bak file, so some. the source program of ASP will be downloaded.

Defense tips: before uploading a program, you must carefully check and delete unnecessary documents. Be careful with files suffixed with Bak.

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.