With the development of Internet, web technology is changing with each passing day. After the Common Gateway Interface (CGI), "ASP" (Active Server Pages) as a typical server-side web design technology, is widely used in online banking, E-commerce, search engines and other Internet applications. At the same time, as a desktop database system launched by Microsoft, the Access database has a large user base because of its simple operation and friendly interface. As a result, asp+access has become the preferred solution for many small and medium sized online application systems. But Asp+access solutions bring convenience to us, but also bring about security issues that cannot be neglected.
The safety hidden trouble of Asp+access
The main security vulnerabilities of the asp+access solution come from the security of Access database, followed by the security vulnerability in the design process of ASP Web pages.
Storage pitfalls in 1.Access databases
In a asp+access application system, the database can be downloaded to local if it obtains or guesses the storage path and database name of the Access database. For example: For an Access database on an online bookstore, people are generally named Book.mdb, Store.mdb, and so on, while the stored path is generally "url/database" or simply placed under the root directory ("url/"). In this way, you can easily download Store.mdb to a local machine simply by typing the address in the browser's address bar: "Url/database/store.mdb".
2.Access database decryption Hidden trouble
Because the encryption mechanism of an Access database is simple, decryption is easy even if the database has a password. The database system forms an encrypted string by *.mdb the password entered by the user with a fixed key, and stores it in the area from the address "&h42" in the file. The password for an Access database can be easily obtained by using this key with a second XOR or operation with the encrypted string in the *.mdb file, because the XOR or operation is characterized by a "two-time or on-restore of the original value". Based on this principle, the decryption program can be easily developed.
This shows that no matter whether the database password is set, as long as the database is downloaded, its information has no security to speak of.
3. Source code Security Risks
Because the ASP program uses the non-compiler language, this greatly reduces the program source code security. Anyone who enters the site can get the source code, causing the source code of the ASP application to leak.
4. The security hidden danger in the program design
The ASP code uses form to realize the function that interacts with the user, and the corresponding content is reflected in the browser's address bar, if does not adopt the appropriate security measures, as long as takes down these content, can bypass the authentication to enter a page directly. For example, typing "... page.asp?x=1" in the browser, you can go directly to the page that satisfies the "x=1" condition without the form page. Therefore, when designing validation or registration pages, special measures must be taken to prevent such problems from occurring.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
