ASP Network Security Manual (1)[Author: Unknown addition time: 11:52:29]
Source: www.cpcw.com Preface Microsoft Active Server Pages (ASP) is a server-side scripting environment that allows you to create and run dynamic and interactive web server applications. ASP allows you to combine HTML pages, script commands, and ActiveX components to create interactive web pages and powerful web-based applications. At present, many websites, especially e-commerce websites, are mostly implemented using ASP at the front-end. So now ASP is widely used in website applications. ASP is a quick tool for developing website applications. However, some website administrators only view ASP's rapid development capabilities, but ignore ASP security issues. ASP has been plagued by many vulnerabilities and backdoors since the very beginning, including the nightmare of % 81, password verification issues, and IIS vulnerabilities, which have all been shocking to ASP Website developers. This article attempts to describe ASP security issues and provide solutions or suggestions based on the operating system vulnerabilities of ASP services and ASP program vulnerabilities. Two keywords ASP, network security, IIS, SSL, encryption. 3. asp Mechanism The Active Server Page technology provides an intuitive, fast, and efficient script-based application development method for application developers, greatly improving the development effect. Before discussing ASP security, let's take a look at how ASP works. ASP scripts are written in plain text. ASP scripts are text-formatted files written in a series of specific syntaxes (VBScript and JScript are currently supported) that are mixed with standard HTML pages. When an end user of the client accesses an ASP-based application through the Internet using a Web browser, the Web browser sends an HTTP request to the web server. After the Web server analyzes and determines that the request is an ASP script application, it automatically calls the ASP script interpretation engine (Asp. dll) through the ISAPI ). ASP. dll obtains the specified ASP script file from the file system or internal buffer, and then performs syntax analysis and interpretation. The final processing result is HTML content, which is returned to the Web browser through the Web server "original path", and the final result is displayed by the web browser on the client. This completes a complete ASP script call. Several Organic ASP script calls constitute a complete ASP script application. Let's take a look at the environment required to run ASP: Microsoft Internet Information Server 3.0/4.0/5.0 on NT Server Microsoft Internet Information Server 3.0/4.0/5.0 on win2000 Microsoft Personal Web server on Windows 95/98 Microsoft IIS in Windows NT Option Pack provides powerful functions, but IIS is dangerous in terms of network security. Because Windows 95/98 is rarely used as a server, I will discuss more about IIS security issues in NT. Iv. Security advantages of ASP claimed by Microsoft Although this article focuses on ASP vulnerabilities and backdoors, it is necessary to talk about ASP's "advantages" in terms of network security "", the reason is that the "advantages" that Microsoft claims are precisely the hidden criminals of its security. Microsoft said that ASP has a major advantage in terms of Network Security: users cannot see the source program of ASP. According to the principle of ASP, ASP executes and interprets it as a standard HTML Statement on the server, and then send it to the client browser. The "shield" source program can well maintain the copyright of ASP developers. Imagine that you have worked so hard to create a very good program that allows anyone to copy it. What do you think? Moreover, hackers can analyze your ASP program and pick out vulnerabilities. More importantly, some asp developers like to write passwords, privileged usernames, and paths in the program, so that others can guess the password and path, it is easy to find the "ENTRANCE" of the Attack System ". However, we have discovered many vulnerabilities that can be used to view ASP source programs. We will discuss them later. IIS supports virtual directories. You can manage virtual directories by clicking the "directory" tab in the "server properties" dialog box. Creating a virtual directory is of great significance for managing web sites. The virtual directory hides important information about the site directory structure. In the browser, you can easily obtain the file path information of the page by selecting "View Source Code". If you use the physical path on the web page, this exposes important information about the site directory, which can easily lead to system attacks. Second, as long as the two machines have the same virtual directory, you can move the web page from one machine to another without making any changes to the page code. In addition, when you place a web page under a virtual directory, you can set different attributes for the directory, such as read, excute, and script. Read access means to pass the directory content from IIS to the browser. Execute access to execute executable files in this directory. When you need to use ASP, you must set the directory of Your. asp file to "excute (execution )". We recommend that you separate HTML files from ASP files in different directories when setting the web site, and set the HTML subdirectory to "read ", setting the ASP sub-directory as "execution" not only facilitates web management, but also improves ASP program security and prevents program content from being accessed by customers. |