Security risks and Countermeasures of ASP + Access

ASP + Access security hazards ASP + Access the main security hazards of the solution come from the security of the Access database, followed by security vulnerabilities in the ASP Web page design process.
1. storage risks of Access databases

In the ASP + Access application system, if you obtain or guess the storage path and name of the Access database, the database can be downloaded to the local device. For example, for the Access database of an online bookstore, people generally name it book. mdb, store. mdb, and the storage path is generally "URL/database" or simply put under the root directory "URL. In this way, you can easily download store. mdb to a local machine by entering the URL/database/store. mdb in the address bar of your browser.
2. Potential decryption risks of Access databases
Because the encryption mechanism of the Access database is very simple, it is easy to decrypt even if a password is set for the database. The database system forms an encryption string by comparing the password entered by the user with a fixed key, and stores it in *. the mdb file is located in the region starting with the address "& H42. Because an exclusive operation is characterized by "restoring the original value after two exclusive operations", this key is used *. when the encrypted string in the mdb file is used for the second operation, you can easily obtain the password of the Access database. Based on this principle, you can easily compile a decryption program.
Therefore, no matter whether or not the database password is set, as long as the database is downloaded, its information is not secure.
3. Source Code Security Risks

ASP programs use non-compiled languages, which greatly reduces the security of program source code. Anyone can access the site to obtain the source code, resulting in leakage of the source code of ASP applications.
4. Security Risks in programming

ASP code uses form) to implement the function of interacting with users, and the corresponding content will be reflected in the address bar of the browser. If appropriate security measures are not used, just write down the content, you can directly access a page without authentication. For example, Page. asp? X = 1 "to directly access the page that meets the" x = 1 "condition without going through the form page. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.
Improve database security

Because the Access database encryption mechanism is too simple, how to effectively prevent Access databases from being downloaded has become the top priority to improve the security of ASP + Access solutions.

1. unconventional naming rules
A simple method to prevent a database from being found is to create a complex and unconventional name for the Access database file and store it in a multi-layer directory. For example, for database files in online bookstores, do not simply name them as "book. mdb" or "store. mdb", but rather an unconventional name. For example:
Faq19jhsv zbal. mdb and put it in a deep directory such as./akkjj16t/kjhgb661/acd/avccx55. In this way, some illegal Access methods can be used to obtain the Access database file name by means of guesses.
2. Use ODBC Data sources
In ASP programming, the ODBC data source should be used as much as possible. Do not write the database name directly in the program. Otherwise, the database name will be lost along with the password of ASP source code. For example:
DBPath = Server. MapPath ("./akkjj16t/
Kjhgb661/acd/avccx55/faq19jhsv zbal. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath
It can be seen that even if the database name is weird and the hidden directory is deep, the database is easily downloaded after the ASP source code is denied. If you use an ODBC data source, the following issues will not occur:
Conn. open "ODBC-DSN name" ASP page encryption to effectively prevent ASP source code leakage, ASP pages can be encrypted. There are two methods to encrypt ASP pages. One is to use component technology to encapsulate programming logic into DLL; the other is to use Microsoft Script Encoder to encrypt ASP pages. I believe that the main problem with the use of component technology is that each segment of code must be componentized, the operation is cumbersome, and the workload is large; and the use of Script Encoder to encrypt ASP pages, the operation is simple and the results are good.
The Script Encoder method has many advantages:
1. HTML is still editable. Script Encoder only encrypts the ASP code embedded in the HTML page, and the rest remains unchanged, this makes it possible to use common webpage editing tools such as FrontPage or Dreamweaver to modify and improve the HTML part, but not to modify the ASP encrypted part. Otherwise, the file will become invalid.
2. Easy to operate. Just master several command line parameters. The running program of Script encoderis screnc.exe, which is used as follows:
Screnc [/s] [/f] [/xl] [/l defLanguage] [/e defExtension] inputfile outputfile
The parameter meanings are as follows:

S: screen shielding;
F: Specifies whether the output file overwrites the input file with the same name;
Xl: whether to add the @ Language command to the top of the. asp file;
L: defLanguag specifies the default script language;
E: defExtension specifies the extension of the file to be encrypted.
3. You can encrypt files in batches. Use Script Encoder to encrypt all ASP files in the current directory, and output the encrypted files to the corresponding directory. For example:
Screnc *. asp c: \ temp

4. Script Encoder is a free software. The encryption software can be downloaded from the Microsoft Website:
Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After the download, run and install.
To prevent unregistered users from directly entering the application system through the registration interface, you can use the Session object for registration verification. The biggest advantage of a Session object is that it can retain the information of a user so that subsequent web pages can be read.
Registration page

After the user registration is successful, the system starts hrmis. asp? Page = 1 page. If the Session object is not used for registration verification, the user clicks "URL/hrmis. asp?" in the browser? Page = 1 "to bypass the registration interface and directly access the system. The Session object can effectively prevent this situation. The related program code is as follows:

<%
'Read the account and password entered by the user
UserID = Request ("UserID ")
Password = Request ("Password ")
'It may be complicated to check whether the UserID and Password are correct)
If UserID <> "hrmis" Or Password <>
"Password" Then
Response. Write "Account Error !"
Response. End
End If
'Set the Session object to the verified status
Session ("Passed") = True
%>
After entering the application, first verify:
<%
'If the verification fails, the Login status is returned.
If Not Session ("Passed") Then
Response. Redirect "Login. asp"
End If
%>