How to Implement asp program Security

Author: jshell

Asp has been popular for N years as a powerful language, but due to its own defects

Programs Written by programmers are prone to many vulnerabilities. asp vulnerabilities are usually injected and uploaded.

In addition, arbitrary file downloads (usually in download programs) or some classical Vulnerabilities

For example, % 5c database brute-force cracking can solve the on error resume next vulnerability in one sentence.

Before creating a database connection object, add a File Download Vulnerability. Generally, the PATH variable value is not set.

Good filtering. In fact, the replace function is very powerful. Think carefully and you will know how to do it.

Injection is nothing more than checking the value of the variable. Here we provide a function from the laoy system.

We can see that the replace function is used to replace insecure characters in sequence to prevent injection. The Code is as follows:

<%
Function Checkall (str)
Checkall = replace (str, "<", "& lt;"), ">", "& gt;"), chr (13 ), "<br> "),"","")
CheckStr = replace (Checkall, "", ""), "and", ""), "insert", ""), "set ", "")
Checkall = replace (Checkall, "select", ""), "update", ""), "delete ",""), chr (34), "& quot ;")
Checkall = replace (Checkall, "*", ""), "=", ""), "or ",""), "mid", ""), "count ","")
End function
%>

Write this code to function. asp. Use this function to filter the received variables.

For example, id = request. querystring ("id") can be written as id = checkall (request. querystring ("id "))

Furthermore, the program author's code is rigorous. For example, we receive a variable value in post mode.

In fact, this write id = request ("id") is not wrong, but it lacks security.

For cookie injection, we know that the request object obtains data from several sets in sequence, from the beginning to the end.

Get post cookie if get is empty and post is empty, it will take values from the cookie and then go to the database for query.

If your anti-injection program does not check the cookie value, congratulations on the occurrence of the cookie injection vulnerability.

The speed of the program will be slightly slow without writing to get the variable value. I don't know much about uploading because I don't know much about uploading.

However, it is safe to use the upload module of the famous program in the upload area.