Security Analysis of website creation using IIS + ASP

With the development of the Internet, web technology is changing with each passing day, and people are no longer satisfied with static HTML technology. More are dynamic and interactive network technologies. Following the general Gateway Interface (CGI), Microsoft's IIS + ASP solution, as a typical server-side web page design technology, it is widely used in Internet applications such as online banking, e-commerce, online surveys, online queries, BBS, and search engines. At the same time, as a desktop database system launched by Microsoft with the standard jet engine, access database has a large user base due to its simple operation and user-friendly interface. Currently, IIS + ASP + access is the preferred solution for small and medium-sized Internet websites. However, this solution brings us both convenience and severe security problems.

I. Security Risk Analysis

The main security risks of the IIS + ASP + Access solution come from the security of the Access database, followed by the security awareness and measures in the ASP Web page design process.

1. The database may be downloaded.

On the IIS + ASP + access website, if someone obtains or guesses the storage path and file name of the database through various methods, the database can be downloaded to the local machine. For example, an online bookstore database is generally named book. mdb, store. mdb, the storage path is generally "url/Database" or placed under the root directory "url/", so that anyone can input the address: "url/database/store. mdb, the database can be downloaded.

2. The database may be decrypted.

Because the encryption mechanism of the Access database is relatively simple, it is easy to decrypt even if a password is set. The database system communicates the password entered by the user with a fixed key (for example, Access 97 is 86 fb ec 37 5d 44 9C fa C6 5E 28 E6 13) form an encryption string and store it in *. the MDB file starts from the address "& h42. We can easily compile the decryptionProgramA dozen-line applet can easily obtain the password of any access database. Therefore, as long as the database is downloaded, its information is not secure.

3. ASP page Security

(1)Source codeSecurity risks. Because ASP programs use non-compiled languages, the program source is greatly reduced.CodeSecurity. If hackers intrude into the site, they can obtain the ASP source code. At the same time, for users who rent servers, the source code of ASP applications may also be leaked due to the professional ethics of individual Server rental agencies.

(2) security issues that are easily overlooked in programming. ASP code uses forms for interaction, and the corresponding content is reflected in the address bar of the browser. If appropriate security measures are not used, you only need to write down the content, you can directly access a page without authentication. For example, you can enter "... page. asp?" in the browser? X = 1 "to directly access the page that meets the" x = 1 "condition without going through the form page. Therefore, special measures must be taken on the verification or registration page to avoid such problems.

2. How to improve the security of IIS + ASP websites

1. Prevent database downloads

Because the ACCESS database encryption mechanism is too simple and effectively prevents the database from being downloaded, it becomes the top priority to improve the security of ASP + access solutions. The following two methods are simple and effective.

(1) unconventional naming methods. Create a complex unconventional name for the ACCESS database file and put it under several directories. For example, for an online bookstore database, we do not name it "book. MDB or store. mdb, but an unconventional name, such as faq9jl. mdb, and then put it in. in the/akkt/kj61/ACD/av5 directory, it is difficult for hackers to obtain the ACCESS database file name by guessing.

(2) Use the ODBC data source. In ASP programming, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will be lost along with the password of ASP source code. For example:

Dbpath = server. mappath ("./akkt/kj61/ACD/av5/faq9jl. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath

It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost. If you use an ODBC data source, this problem does not occur.