How to Prevent bypass authentication attacks

Attackers can bypass authentication to access the background page without passing the authentication page. In our system, it is quite simple to solve this problem. I think we need to solve it in the following ways:

1. Do not use admin or manage as the folder name in background folders.

The advantage is that it is difficult for attackers to guess the background path when they do not know the background path.

2. Do not use login as the file name on the login page.

The advantage is that, even if Attackers know the background folder, finding the portal page will also cause some obstacles to the attacker. Many bypass authentication attacks first find the portal page and launch attacks on it; I was impressed by a version of Win2000 in the early stage. On the user login page, if the user switches to the Chinese Input Method and then clicks help, the Help page seems to be Ie, as long as the hacker enters the drive letter in it, the hacker can also find "my computer" on the desktop to go to system management. This allows the hacker to create a user or change the password of the user in it.

3. Do not nest background pages orCode

If the front-end page is nested in the background, attackers can directly use tools to know which files are stored in the background, and background files may be exposed to attackers, leaving attackers with a chance.

4. Add verification code to each page

After Attackers know the background page, they can directly write the access path in the address and cannot enter

The above are some summaries I have made in combination with our system. In our system, no effective measures have been taken to prevent such attacks, and we hope to attract enough attention during the next upgrade.

 

What I think is the most dangerous in preventing bypass authentication attacks?ProgramThe error page appears because the error page contains the server address and some file paths.

Solution: Disable debugging and set off in webconfig after going online.