Security issues in ASP files

ASP security issues
I often see that ASP is not secure, such as being vulnerable to injection. If your level is not high, PHP and Asp.net may be injected with JSP. What is asp? ASP is just a technology. Is the website developed with ASP secure?ProgramThe level of staff is related to the server administrator level, and any website developed by technology is the same. As long as your program has vulnerabilities and the database you use supports standard SQL syntax, or the injector may use this syntax, there is a possibility of being injected.
Let's talk about the common security problems in ASP today based on my personal experience.

1. injection. No matter when it comes to website security issues, SQL injection is the first to bear the brunt. Let's take a look at what is going on with SQL injection. To put it simply, SQL Injection transmits invalid parameters in various ways. The methods and objectives cannot be the following:
· Expect a program error to get some information from the error message returned by the server that the inspector wants. This method is often used to determine the database type.
· Execute special statements to guess the table name.
· Construct special statements, which are often used to obtain management permissions by bypassing logon detection.
To address the above problems, I generally adopt the following methods:
· The first two cases should be considered together. No matter which injection method is actually implemented by constructing invalid parameters, we can use a program to restrict parameters and create a rule for valid parameters, it is illegal to comply with this rule. However, the following errors are often detected:
1. Use the isnumeric function to detect IDs. This function only determines whether it is a number. If I enter a URL: shownews. asp like this? Id = 1.1, it will also pass the detection, because 1.1 is also a number, or ID = 0. Is there such an ID? No. IDs in any database table are positive integers starting from 1. Therefore, do not use it to check the validity of the ID. So what does it use? Here we will use a regular expression.
You can use ID = CINT (Request ("ID") or clng, or use a regular expression to replace all non-numeric characters so that only numbers are available. (Replace a non-numeric null Regular Expression in ASP)

2. Missing error handling or incomplete error handling. For example, Rs. in the case of EOF, if not processed, I write an id = 999999999999999, then the program will go wrong. I believe that few websites have such a large ID, you can change it even if I have one. I once met someone who used a tool to continuously test my ID, from 8000 to more than 10000. There is also the type parameter. Generally, website news will be divided into several columns. At this time, the type parameter is used to determine the content of the column to be displayed on each list page. What if someone submits a nonexistent type value? This also needs to be processed. The case else clause in the select case is prepared for this unexpected situation. Do not use it for convenience.
· Most of the problems with bypassing logon detection are caused by the programmer writing the logon detection statement as follows:

CopyCode The Code is as follows: SQL = "select count (*) from Admin where username = '" & username & "' and Pwd = '" & PWD &"'"
If RS (0)> 0 then ....

In this case, or injection is used to construct a special SQL statement:
SQL = "select count (*) from Admin where username ='' or ''='' and Pwd = ''or'' = ''"
This is constructed by inputting 'or ''='' in both the username and password text boxes. At this time, the count (*) result must be greater than 0, it is equal to the number of records in your admin table, because each record meets the requirements of the SELECT statement. Of course, we can filter the injection information by formulating corresponding rules and assist other methods. For example, I wrote this:Copy codeThe Code is as follows: "select password from Admin where username = '" & username &"'"
If Rs. EOF then
...
Else
If RS ("password") = request. Form ("pass") then
...
End if
End if

In this way, even if you have not set any rules, the above method is basically unable to be injected, because it can only be detected through the first step, in the following if RS ("password") = request. form ("pass") then, there is no way, because no one will set a password like 'or ''='' for the administrator. This cannot be the same, and logon is rejected. Of course, it is best to use both methods to ensure security.
Injection is often ignored, namely cookie injection. When a parameter can be transmitted either through a URL or through a form, most people will simply use the request ("page") method. You are easy, and it is also easy for the inspector, because when the request does not specify a specific method, it tries to receive the parameter in the order of querystring/form/cookie. If the inspector spoofs a cookie, then, enter the signature in the browser. It is recommended that you use select case or if to judge the case. This is troublesome, but it is safe first.
Ii. asp upload vulnerability. I have used several non-component upload classes, which are similar in the same way. They all lack effective detection of the types of uploaded files. This problem is depressing. Now I can only use other methods for manual detection, and all of them are on the server side. If there is any problem with ASP, it will be here.
3. Background permission judgment. I have read several backgrounds, and the permission judgment is to judge the permission only on the first page of Logon. No judgment is made on every page in the background. All the pages in the background need to determine the permissions. Otherwise, I can enter the address of a function page in the browser without interruption. What else do you do when logging on to the background?
4. Ignore server verification. Javascript is a powerful thing. Its most common function is Client Detection. For example, you cannot enter null characters or define regular expressions to perform more advanced detection. Some Programmers think this is very good, with the help of browsers, the client reduces the workload, reduces the server load, and optimizes the performance. However, almost all browsers now provide options for canceling JavaScript support. That is to say, the information submitted by the client may be submitted to the server without any detection. At this time, the server resources you have saved are insignificant in terms of security. Therefore, both the client and the server need to be verified, and even you do not have any verification on the client, all servers must be verified.
This is also suitable for processing information submitted outside the site. You can skip the client verification when submitting an out-of-site ticket. The simplest way is to right-click your form source code and copy it to the local device. Change the action value to the network address, and then remove the content verified by the client. You cannot skip server-side verification even if you are not able to submit the detection code. Of course, if there is no problem with the content submitted by him, it is normal that the content submitted outside the site will be saved-but, if so, what is the complexity of his work?
5. Summary.
In fact, all ASP problems may be related to a problem, that is, an error. It is either an error in program writing or an error caused by incorrect parameters submitted by the client. ASP has an error handling mechanism. It is recommended that you write to the page that every page contains, that is, on error resume next. Ignore errors and continue execution, even if the page is not displayed due to an error, it will not disclose the error content to the client. It can solve many problems. However, in the end, the security of ASP depends on the care of programmers, and the security of such programs is ensured by handling all possible problems.
This article references atmo Article Thanks to atmo! If there are any mistakes or omissions, I hope you can point them out!
You can refer to some articles on webshell attacks and Prevention published on the website.