Security analysis of building websites with iis+asp

Source: Internet
Author: User
Tags object end iis interface odbc access database access root directory
iis| Safety | Security |iis| Security | With the development of Internet, web technology is changing, people are no longer satisfied with static HTML technology, more is the requirement of dynamic and interactive network technology. After the Universal Gateway Interface (CGI), Microsoft launched the iis+asp solution as a typical server-side web design technology, is widely used in online banking, e-commerce, online surveys, online inquiries, BBS, search engines and other Internet applications. At the same time, Access database, as a desktop database system launched by Microsoft as a standard jet engine, has a large user base because of its simple operation and friendly interface. Currently, iis+asp+access is the preferred option for small and medium internet sites. However, this solution brings us a great deal of security as well as convenience.
An analysis of the hidden danger of safety
The main security vulnerabilities of the iis+asp+access solution come from the security of Access database, followed by the security awareness and measures in the design process of ASP Web pages.
1. Database may be downloaded
In the Iis+asp+access Web site, the database can be downloaded locally if someone obtains or guesses the storage path and file name of the database in a variety of ways. For example: For online bookstore database, generally named Book.mdb, Store.mdb, and so on, the storage path is generally "url/database" or placed in the root directory "url/", so that anyone typing address: "Url/database/store.mdb", The database can be downloaded.
2. Database may be decrypted
Because the encryption mechanism of an Access database is relatively simple, decryption is easy even if a password is set. The database system by using the password entered by the user with a fixed key (for example: Access 97 is "XOR" for the E6 EC 5D 9C FA C6 5E 13) to form an encrypted string and store it in a *.mdb file that starts at the address "&h42" Domain. We can easily decrypt the decryption program, a dozens of-line applet can easily get the password of any Access database. Therefore, as long as the database is downloaded, its information has no security whatsoever.
3. Security for ASP pages
(1) Source code security risks. Because the ASP program uses the non-compiler language, greatly reduces the program source code the security. If the hacker invades the site, can obtain the ASP source code, at the same time for the tenant server's user, because individual server lessor's professional ethics problem, can also cause the ASP application source code to divulge.
(2) Security problems that are easily overlooked in programming. The ASP code uses the form to implement the interaction, and the corresponding content is reflected in the browser's address bar, if you do not take the appropriate security measures, as long as you write down the content, you can bypass the validation directly into a page. For example, typing "... page.asp?x=1" in the browser allows you to go directly to the page that satisfies the "x=1" condition without the form page. Therefore, in the validation or registration page, special measures must be taken to prevent such problems from arising.
Ii. ways to improve the security of iis+asp websites
1. Prevent the database from being downloaded

Because the Access database encryption mechanism is too simple to effectively prevent the database from being downloaded, it becomes the most important to improve the security of the asp+access solution. The following two methods are simple and effective.

(1) Unconventional nomenclature. Make an Access database file a complex, unconventional name and place it in several directories. For example, for an online bookstore database, we do not name it "Book.mdb" or "Store.mdb", but instead of a regular name, such as: Faq9jl.mdb, and then put it in a few levels of a./AKKT/KJ61/ACD/AV5 directory, This makes it difficult for hackers to get access database filenames by guessing.

(2) Use an ODBC data source. In ASP program design, if have the condition, should use ODBC data source as far as possible, do not write the database name in the program, otherwise, the database name will be compromised with the official secrets of the ASP source code, for example:

DBPath = Server.MapPath ("./akkt/kj61/acd/av5/faq9jl.mdb")
Conn.Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath

Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down. If you are using an ODBC data source, there is no such problem:
Conn.Open "ODBC-DSN name"

2. Encrypt an ASP page

To effectively prevent the leakage of ASP source code, you can encrypt ASP pages. We have used two methods to encrypt an ASP page. One is to encapsulate programming logic into DLLs using component technology, and the second is to encrypt ASP pages using Microsoft Script Encoder. The main problem with component technology is that each piece of code needs to be modular, the operation is more cumbersome, the workload is large, and using encoder to encrypt ASP pages, simple operation, good results. The Script encoder is run by SCRENC.EXE, using the following procedure:

Screnc [/S] [f] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile

Where:/s is screened screen output,/f Specifies whether the output file overwrites the input file with the same name,/XL whether to add the @language instruction at the top of the. asp file;/l DEFLANGUAG Specify the default scripting language; /e defextension Specifies the extension of the file to be encrypted.

3. Registration verification
To prevent unregistered users from bypassing the registration interface directly into the application system, we use the Session object for registration verification. For example, we made the following registration page.

The design requires the system to launch the Hrmis.asp?page=1 page after successful registration. Assuming that the session object is not used for registration verification, users in the browser typing "url/hrmis.asp?page=1" can bypass the registration interface, directly into the system.

Here, you use the Session object for registration verification:


〈%

' Read the username and password entered by the user

UserID = Request ("UserID")

Password = Request ("Password")

' Check userid and password is correct

If userid〈〉 "Hrmis" Or password〈〉 "Password" Then

Response.Write "Account Error! ”

Response.End

End If

' Set session object to pass validation status

Session ("passed") = True

%〉

After you enter the application, first verify:

〈%

' If validation is not passed, return login status

If not session ("passed") Then
Response.Redirect "Login.asp"

End If


%〉

Through the research on the security of Iis+asp+access Network application system, we have reformed the existing system and received a good result.



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.