Safety hidden trouble and countermeasure of Asp+access

Source: Internet
Author: User
Tags html page odbc access database root directory microsoft website
access| Security | Security risks with the development of the Internet, Web technology is changing with each passing day. After the Common Gateway Interface (CGI), "ASP" (Active Server Pages) as a typical server-side web design technology, is widely used in online banking, E-commerce, search engines and other Internet applications. At the same time, as a desktop database system launched by Microsoft, the Access database has a large user base because of its simple operation and friendly interface. As a result, asp+access has become the preferred solution for many small and medium sized online application systems. But Asp+access solutions bring convenience to us, but also bring about security issues that cannot be neglected.
The safety hidden trouble of Asp+access
The main security vulnerabilities of the asp+access solution come from the security of Access database, followed by the security vulnerability in the design process of ASP Web pages.
Storage pitfalls in 1.Access databases
In a asp+access application system, the database can be downloaded to local if it obtains or guesses the storage path and database name of the Access database. For example: For an Access database on an online bookstore, people are generally named Book.mdb, Store.mdb, and so on, while the stored path is generally "url/database" or simply placed under the root directory ("url/"). In this way, you can easily download Store.mdb to a local machine simply by typing the address in the browser's address bar: "Url/database/store.mdb".
2.Access database decryption Hidden trouble
Because the encryption mechanism of an Access database is simple, decryption is easy even if the database has a password. The database system forms an encrypted string by *.mdb the password entered by the user with a fixed key, and stores it in the area from the address "&h42" in the file. The password for an Access database can be easily obtained by using this key with a second XOR or operation with the encrypted string in the *.mdb file, because the XOR or operation is characterized by a "two-time or on-restore of the original value". Based on this principle, the decryption program can be easily developed.
This shows that no matter whether the database password is set, as long as the database is downloaded, its information has no security to speak of.
3. Source code Security Risks
Because the ASP program uses the non-compiler language, this greatly reduces the program source code security. Anyone who enters the site can get the source code, causing the source code of the ASP application to leak.
4. The security hidden danger in the program design
The ASP code uses form to realize the function that interacts with the user, and the corresponding content is reflected in the browser's address bar, if does not adopt the appropriate security measures, as long as takes down these content, can bypass the authentication to enter a page directly. For example, typing "... page.asp?x=1" in the browser, you can go directly to the page that satisfies the "x=1" condition without the form page. Therefore, when designing validation or registration pages, special measures must be taken to prevent such problems from occurring.
Improve the security of your database
Because the Access database encryption mechanism is too simple, how to effectively prevent Access databases from being downloaded is the most important way to improve the security of asp+access solutions.
1. Unconventional nomenclature
An easy way to prevent a database from being found is to have a complex, unconventional name for an Access database file and store it in a multi-tiered directory. For example, for a database file on an online bookstore, do not simply name "Book.mdb" or "store.mdb", but rather an unconventional one, such as: Faq19jhsvzbal.mdb, and then put it in a./akkjj16t/kjhgb661/acd/ A deep directory like avccx55. In this way, some illegal access to the file name of an Access database can be effectively blocked by guessing.
2. Using an ODBC data source
In ASP program design, should use ODBC data source as far as possible, do not write the database name directly in the program, otherwise, the database name will be compromised with the source code of the ASP. For example:
DBPath = Server.MapPath ("./akkjj16t/
Kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ")
Conn. Open driver={microsoft Access Driver (*.mdb)};d bq= "& DBPath
Visible, even if the name of the database is again strange, hidden directory again deep, the ASP source code compromised, the database is also easy to download down. If you are using an ODBC data source, there is no such problem:
Conn.Open "ODBC-DSN name"
Encrypt an ASP page
To effectively prevent the leakage of ASP source code, you can encrypt ASP pages. There are generally two ways to encrypt an ASP page. One is to encapsulate programming logic into DLLs using component technology, and the other is to encrypt ASP pages using Microsoft's script encoder. The author thinks that the main problem of using component technology is that each piece of code needs to be modular, the operation is cumbersome, the workload is large, and the use of Script Encoder to encrypt ASP pages, simple operation and good results. The Script encoder method has many advantages:
1.HTML is still well editable. The Script encoder only encrypts the ASP code embedded in the HTML page, and the rest remains the same, which makes it possible to modify and refine the HTML section using commonly used Web page editing tools, such as FrontPage or Dreamweaver. Only the ASP encryption section cannot be modified, or it will cause the file to fail.
2. Simple operation. Just master a few command-line arguments. The Script encoder is run by a screnc.exe, which is used in the following ways:
Screnc [/S] [f] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile
The parameter meanings are as follows:
S: Shielding screen output;
F: Specifies whether the output file overwrites the input file with the same name;
XL: Whether to add a @language directive at the top of the. asp file;
L:DEFLANGUAG Specifies the default scripting language;
e:defextension specifies the extension of the file to be encrypted.
3. You can encrypt files in bulk. Use the script Encoder to encrypt all ASP files in the current directory and to uniformly output the encrypted files to the appropriate directory. For example:
Screnc *.asp C:\Temp
4. Script encoder is free software. The encryption software can be downloaded from the Microsoft website: Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After downloading, run the installation.
Registering with the Session object for authentication
To prevent unregistered users from bypassing the registration interface directly into the application system, you can use the session object for registration verification. The biggest advantage of the session object is that you can keep a user's information for subsequent pages to read. For example, to design the registration page as shown in Figure 1.

Figure 1 Registering the page
The design requires the user to register successfully after the system starts the Hrmis.asp?page=1 page. If you do not use the Session object for registration verification, users in the browser typing "url/hrmis.asp?page=1" can bypass the registration interface, directly into the system. Using the session object can effectively prevent this from happening. The relevant program code is as follows:
<%
' Read the user input account number and password
UserID = Request ("UserID")
Password = Request ("Password")
' Check userid and password is correct (the actual program may be more complex)
If UserID <> "Hrmis" Or Password <>
"Password" Then
Response.Write "Account Error! ”
Response.End
End If
' Set session object to pass validation status
Session ("passed") = True
%>
After you enter the application, first verify:
<%
' If validation is not passed, return login status
If not session ("passed") Then
Response.Redirect "Login.asp"
End If
%>



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.