Research on server-side security verification in ASP (Elementary)

Hackers often use CGI scripts to attack a website, but the effect is quite good. If a website is cracked, the information in the website will be displayed at a Glance. For websites with important information, this will be devastating.

Asp has been popular on the Internet for a long time, but its security is still very poor. Now, Qin Kegen's practice is to talk about how to perform security verification on login forms. Many beginners prefer to use clients for verification, this is simply an empty Design for people who have a little understanding of web design. Therefore, we need to verify it on the server side. Although the following methods are for ASP scripts, but it is applicable to most interactive scripts, but ASP is the most prominent.

1. Verify the format.
If a number is required, it is necessary to verify whether the entered content is a number. If the email format is correct, the entered content is regular. Required. check whether it is null. This is a basic security verification or a bit Secure script, but it is still insecure.

2. restrict the length of characters, either too short or too long.
If the length is not limited to characters, it may affect the beauty of the website. Serious users may cause unpredictable security risks to the website and sometimes cause system crashes. This is a bit like an attack. If the length of the content entered by the writer exceeds the length that the server can process, this is very dangerous. For websites with database support, especially ACCESS small databases, if the field length is exceeded, error information is returned, which often exposes the database path, hackers will use the database to steal data. The results are unimaginable.
Use len function compute to enter the length. If the length exceeds the predefined length, the server stops executing (response. End) or takes only the preceding characters.

3. Special characters such as HTML, DHTML, JS, and VB are disabled in the submitted content.
Because these scripts and characters are often executable characters of ASP scripts, it is very dangerous for the server to execute the submitted text while submitting the form!
In some previous forums and chat rooms, the author used html and JS code to open countless windows on the visitor's computer, resulting in a crash! It is also possible to steal the password and run a program similar to "zombie bomb". Are you sure you want to steal the password? Haha... Fortunately, this is only because the client is under attack. The most terrible thing is the server security.
Hackers often use special characters to access the website. A typical example is to use the syntax [= name "or" name <> 123] to cheat the server and let the database Execute SQL statements.
We want to prevent visitors from using the above characters, and use methods such as removal and replacement. Many forums use UBB code, which is a good choice.

4. Limit the number of wrong logons. In this way, qinke calls it a "Snail Guard System"
This is the most common security defense technique for banks, telecommunications and other departments. Due to historical reasons, these departments often use numbers smaller than six digits as passwords, which is too fragile in the Internet era. A computer can run all the passwords in a short time. So they used the "Snail Guard System" method. As long as you enter the wrong password three times, the card will not be able to withdraw funds. As long as you enter the wrong password three times, the SIM card of the mobile phone will be automatically locked. We can use this method when designing an ASP interactive website. The account cannot be used as long as the number of times exceeds the limit. Prevent attackers from using the software to run passwords and access the website.

5. Random additional code verification
This method mainly prevents password running and adds a dynamic password verification to password verification. Use the RND function to generate and use SESSION verification to ensure security. Do not use the hidden form. More and more websites are using this method to verify passwords.

6. restrict the operation time
Sometimes, when the operator enters the website, he forgets to close the window, which will lead to illegal access to the system by other operators. The operation time limit can be used to prevent this situation. After the time expires, all website services will be terminated. Use SESSION in ASP.

7. Access Verification
This prevents the user from generating a SESSION on the website or on the computer to cheat in security verification. Non-normal page requests will not be executed.

8. perform log management and record operator operations.
Record operator operations to fix vulnerabilities at any time.

9. Encrypt databases, paths, and scripts, disable insecure components, and fix system security vulnerabilities.
Although this is not a Form submission security issue, it is obviously inseparable from security vulnerabilities. There are many such methods.

10. Prevent the browser from caching the webpage content.
Similar to, this prevents unauthorized operators from viewing the content of the website after the operation. It can be set to read the server again after each rollback.

11. do not link important content online.
Some search engine robots cache important pages in the engine, which means opening the door to visitors all over the world.

Original Author: qinke