Talking about the security problem of ASP
First of all, I often see some people say that ASP is unsafe, such as easy to be injected, I have been unable to understand the argument. If your level is not high, then you use PHP with asp.net jsp have been injected with the possibility, this is related to ASP what? ASP is just a technology, use it to develop the Web site is safe, only with the level of programmer and server administrator, any technology development site is the same. As long as your program has holes in it, and the database you use supports standard SQL syntax, or if the injector has this syntax, there is the possibility of being injected.
Gossip less, I today combined with my personal experience to briefly talk about the common security problems in ASP.
One, injected. Whenever you talk about the security of a website, SQL injection is the first. Let's take a look at what's happening with SQL injection. Simply put, SQL injection is a way to pass illegal arguments in a variety of ways, and not in the following ways:
• Expect an error in the program to get something the injector wants from the error message returned by the server, a method commonly used to determine the type of database.
• Execute special statements to guess the name of the table.
• Constructs a special statement, which is often used to circumvent login detection to obtain administrative privileges.
To address the above problems, I generally use the following methods:
• The first two situations should be considered together. No matter which kind of injection method is actually constructed by constructing illegal parameters, then we use the procedure to restrict the parameters and make a rule for the valid parameters, which is illegal. However, the following error is often seen when testing:
1, use the IsNumeric function to detect IDs. The function is just to determine whether it's a number, that's all, so if I type in a url:shownews.asp?id=1.1, then I'll pass the test because 1.1 is also a number, or id=0. Do you have such an ID? No, the IDs in any database table are positive integers starting with 1. So please don't use it like this again to detect the legality of IDs. What's that for? The regular expression is used here.
You can use Id=cint (Request ("id")) or CLNG, or just replace all non-numeric characters with regular expressions, so there's only numbers. (replace non-numeric regular with ASP)
2, the lack of error handling, or error handling is not perfect. For example, the situation of rs.eof, without processing, I write a id=999999999999999, then the program will be wrong, I believe that very few sites have such a large ID, even if I can change a larger. I've had people using tools to test my IDs continuously, from 8000 to 10,000. There is the type parameter, the general website news will be divided into several columns, then rely on type to determine the content of each list page which column, if someone submitted a nonexistent type value? This also needs to be handled, and the Case Else clause in select cases is prepared for this unexpected situation, and don't use it for the sake of convenience.
• The problem with bypassing login detection is mostly because programmers write login detection statements like this:
Copy Code code as follows:
Sql= "SELECT COUNT (*) from Admin Where username= '" &UserName& "' and pwd= '" &Pwd& "'"
If RS (0) > 0 then ....
This time the injection is to use or inject, construct a special SQL statement:
Sql= "SELECT COUNT (*) from Admin Where username= ' or ' = ' and pwd= ' or ' = '"
This is constructed by entering ' or ' = ' in the text box of the username and password, at which point the result of count (*) must be greater than 0, which equals the number of records in your admin table, because each record meets the requirements of the SELECT statement. Of course, we can filter the injection information by making the appropriate rules, while supporting other methods, such as I wrote:
Copy Code code as follows:
"Select password from Admin where username= '" &UserName& ""
If Rs.eof Then
...
Else
If RS ("password") =request.form ("pass") then
...
End If
End If
This way of writing, even if you do not make any rules, then the above method is also basically unable to inject, because it can only be detected by the first step, in the following if RS ("password") =request.form ("pass") then here it has no way, Because no one will give the administrator a password such as ' or ' = '. This cannot be equal, the login must be rejected. Of course, in order to be on the safe side, it's best to use both ways to make sure it's foolproof.
Injection also has a often overlooked situation, is the cookie injection. When a parameter is either passed through a URL or passed through a form, most people will abbreviate it to the request ("page"). You relaxed, the injector also relaxed, because the request is not in the specific method, it attempts to receive the parameters of the order is Querystring/form/cookie, if the injector forged a Cookie, and then enter www.sitename.com in the browser /shownews.asp, if the shownews.asp is written in request, it will not error, because the program from the cookie found in the ID, if this parameter is not detected, then the injection may occur. Here we suggest that you use Select Case or if to judge, a little trouble, but safety first AH.
Second, ASP upload vulnerability. The use of several components of the upload class, the same, there is a lack of upload file types of effective detection, this problem is more depressed, can only rely on other means to manually detect, and are in the server side. If the ASP itself has any problems, it is here.
Third, the background authority judgment. Read a few backstage, permission to judge are only in the first page of the login to judge the permissions, the background of each page is not judged. Backstage all pages are need to judge permission, otherwise I in the browser directly enter a function page address can be unimpeded, you that backstage login also do it what?
Iv. Ignore server-side validation. JavaScript is a powerful thing, its most commonly used function is the client's detection, such as not to enter a null character, or to define a regular expression to complete more advanced detection, some programmers feel that this is good, the browser to help verify that the client has reduced a lot of work, the server burden is small, performance is also optimized. But now browsers almost all offer the option of canceling JavaScript support, which means that the information submitted by the client may be presented to the server without detection at all. This time your savings of server resources in front of security is insignificant, so that the client and server-side verification needs, and even you can not have any verification at the client, server side must have validation.
This is also appropriate for information submitted outside the processing station. Outbound submissions can also skip client verification, the simplest way is to right-click your form source code, copied to the local, the value of the action into the network address, and then remove the content of client authentication. Even if he can escape from your station to submit detection code, you cannot skip server-side validation. Of course, if the contents of his submission are no problem, it is normal that the things that are submitted outside the station will be preserved--but if so, what is he doing with such complexity?
Five, summary.
The fact that all of the ASP's possible problems are related to a problem is a mistake. Either the error that occurred in the program writing or the error caused by the client submitting the error parameter. The ASP has an error-handling mechanism It is recommended that you write every page to include in the page, that is on the error Resume Next, ignore errors continue to execute, even if the error causes the page does not show anything, it will not disclose a little error to the client content, with it can solve a lot of problems. However, ultimately, the security of the ASP depends on the programmer's careful, for every possible problem in the place to deal with, such a program will become safe.
This article refers to ATMO related articles of a lot of content, here to Atmo Express thanks! If there are any mistakes, I also hope that you can point out!
We can refer to a number of Webshell on the site on the launch of attacks and prevention articles.
