Safety hidden trouble of asp+access and its countermeasures

With the development of the Internet, Web technology is changing rapidly. After the Universal Gateway Interface (CGI), "ASP" (Active Server Pages) as a typical server-side web design technology, is widely used in internet banking, e-commerce, search engines and other Web applications. At the same time, the Access database, as a desktop database system with standard jet engine, has a large user group because of its simple operation and friendly interface. Therefore, asp+access becomes the preferred solution for many small and medium-sized Web applications. But the asp+access solution brings convenience to us, but it also brings security issues that cannot be ignored. "Shanghai treatment impotence Hospital editing and finishing"

The main security risks of the Asp+access security asp+access solution are the security of the Access database, followed by the security vulnerabilities in the ASP Web page design process.

Storage vulnerability of 1.Access database

In the Asp+access application system, if you obtain or guess the storage path and database name of an Access database, the database can be downloaded locally. For example, in the online bookstore Access database, people are generally named Book.mdb, Store.mdb, and so on, and the stored path is generally "url/database" or simply placed in the root directory ("url/"). This way, simply typing the address in the browser address bar: "Url/database/store.mdb", you can easily download the Store.mdb to the local machine.

Decryption vulnerability of 2.Access database

Because the encryption mechanism of an Access database is very simple, decryption is easy even if the database has a password set. The database system creates an encrypted string by using the password entered by the user with a fixed key, and stores it in an area of the *.mdb file starting from the address "&h42". Because the XOR feature is "after two different or restore the original value", it is easy to get the password of the Access database by using this key with the encryption string in the *.mdb file for a second XOR operation. Based on this principle, it is easy to compile the decryption program.

This shows that regardless of whether the database password is set, as long as the database is downloaded, its information is not any security to say.

3. Security implications of source code

Because the ASP program adopts the non-compiler language, this greatly reduces the security of the program source code. Anyone who enters the site can get the source code, resulting in the disclosure of the ASP application source code.

4. Safety Hazards in program design

The ASP code uses forms (form) to interact with the user, and the corresponding content is reflected in the browser's address bar, if you do not take the appropriate security measures, just write down the content, you can bypass the verification directly into a page. For example, typing "... page.asp?x=1" in a browser allows you to go directly to a page that meets the "x=1" condition without going through the form page. Therefore, special measures must be taken to avoid the occurrence of such problems when designing validation or registration pages.

Improve database security because the Access database encryption mechanism is too simple, how to effectively prevent Access databases from being downloaded becomes a priority in improving the security of the asp+access solution.

1. Unconventional nomenclature

An easy way to prevent a database from being found is to have a complex, unconventional name for the Access database file and store it in a multi-tiered directory. For example, for the online bookstore database file, do not simply named "Book.mdb" or "Store.mdb", but to play an unconventional name, for example:

Faq19jhsvzbal.mdb, and put it in a deep directory like./akkjj16t/kjhgb661/acd/avccx55. In this way, it is effective to prevent the Access database file name from being accessed by some guessing methods.

2. Using an ODBC data source

In the ASP program design, should try to use ODBC data source, do not write the database name directly in the program, otherwise, the database name with the source code of the ASP is compromised together. For example: DBPath = Server.MapPath ("./akkjj16t/

Kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ")

Conn. Open "Driver={microsoft Access driver (*.mdb)};d bq=" and DBPath can be seen, even if the database name is strange, the hidden directory is deep, the ASP source code is compromised, the database is also easy to download. If you use an ODBC data source, there is no such problem:

Conn.Open "ODBC-DSN name"

The ASP page is encrypted to effectively prevent the ASP source code leakage, the ASP page can be encrypted. There are generally two ways to encrypt an ASP page. One is the use of component technology to encapsulate programming logic into DLLs, and the other is to use Microsoft Script Encoder to encrypt ASP pages. The author believes that the main problem of using component technology is that each code needs to be modular, the operation is cumbersome, the workload is large, and using script Encoder to encrypt the ASP page, the operation is simple and the result is good.

The Script encoder method has many advantages:

The 1.HTML is still well editable. Script encoder only encrypts the ASP code embedded in the HTML page, and the rest remains the same, which makes it possible to modify and refine the HTML parts using commonly used Web page editing tools such as FrontPage or Dreamweaver. Only the ASP Encryption section can not be modified, otherwise it will invalidate the file.

2. Simple operation. Just master a few command-line arguments. Script encoder is run as Screnc.exe, and is used in the following ways:

Screnc [/s] [/f] [/XL] [/L deflanguage] [/E Defextension] inputfile outputfile

The parameters have the following meanings:

S: screened screen output;

F: Specifies whether the output file overwrites the input file with the same name;

XL: Add the @language directive at the top of the. asp file;

L:DEFLANGUAG Specifies the default scripting language;

e:defextension specifies the extension of the file to be encrypted.

3. You can encrypt files in bulk. Using Script encoder, you can encrypt all ASP files in the current directory and output the encrypted files to the appropriate directory. For example:

Screnc *.asp C:\Temp

4. Script encoder is free software. The encryption software can be downloaded from the Microsoft website:

Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. Once downloaded, run the installation.

Registration verification with Session object

To prevent unregistered users from bypassing the registration interface directly into the application system, you can use the session object for registration verification. The biggest advantage of Session object is that it can keep the information of a user and let the subsequent pages read. For example, to design the registration page shown in 1.

The design requires the user to register successfully after the system launches the Hrmis.asp?page=1 page. If the session object is not used for registration verification, the user can bypass the registration interface and enter the system directly by typing "url/hrmis.asp?page=1" in the browser. The use of the session object can effectively prevent this situation from happening. The relevant program code is as follows:

<% ' Read user-entered account number and password

UserID = Request ("userid")

Password = Request ("Password")

' Check if the UserID and password are correct (the actual program may be more complex)

If UserID <> "Hrmis" Or Password <>

"Password" then

Response.Write "Account Error! ”

Response.End

End If

' Set the session object to pass the validation state

Session ("Passed") = True

%>

After entering the application, first verify:

<% ' If validation is not passed, return to login status

If not Session ("Passed") Then

Response.Redirect "Login.htm"

End If

%>

Safety hidden trouble of asp+access and its countermeasures