Security risks and Countermeasures of ASP + Access

Source: Internet
Author: User
Tags microsoft website
Tech.ccidnet.comart1099200704201066767_1.html. Following the general Gateway Interface (CGI), "ASP" is a typical server-side web page design technology, it is widely used in Internet applications such as online banking, e-commerce, and search engines. Simultaneous Access count

Http://tech.ccidnet.com/art/1099/20070420/1066767_1.html with the development of Internet, Web technology is changing with each passing day. Following the general Gateway Interface (CGI), "ASP" is a typical server-side web page design technology, it is widely used in Internet applications such as online banking, e-commerce, and search engines. Simultaneous Access count

Http://tech.ccidnet.com/art/1099/20070420/1066767_1.html

With the development of Internet, Web technology is changing with each passing day. Following the general Gateway Interface (CGI), "ASP" is a typical server-side web page design technology, it is widely used in Internet applications such as online banking, e-commerce, and search engines. At the same time, as a desktop database system launched by Microsoft with the standard JET engine, Access database has a large user base due to its simple operation and user-friendly interface. Therefore, ASP + Access has become the preferred solution for many small and medium-sized online application systems. However, the ASP + Access solution brings us convenience, but also bringsSecurityProblem.

ASP + AccessSecurityHidden DangerMain ASP + Access solutionsSecurityHidden DangerFrom the Access databaseSecurityFollowed by the ASP Web page design processSecurityVulnerability.

1. Access database storageHidden Danger

In the ASP + Access application system, if you obtain or guess the storage path and name of the Access database, the database can be downloaded to the local device. For example, for the Access database of an online bookstore, people generally name it book. mdb, store. mdb, and the storage path is generally "URL/database" or simply put under the root directory ("URL. In this way, you can easily download store. mdb to a local machine by entering the URL/database/store. mdb in the address bar of your browser.

2. Access Database decryptionHidden Danger

Because the encryption mechanism of the Access database is very simple, it is easy to decrypt even if a password is set for the database. The database system forms an encryption string by comparing the password entered by the user with a fixed key, and stores it in *. the mdb file is located in the region starting with the address "& H42. Because an exclusive operation is characterized by "restoring the original value after two exclusive operations", this key is used *. when the encrypted string in the mdb file is used for the second operation, you can easily obtain the password of the Access database. Based on this principle, you can easily compile a decryption program.

Therefore, no matter whether or not the database password is set, as long as the database is downloaded, its information does not have anySecurityIt's okay.

3. Source CodeSecurityHidden Danger

ASP programs use non-compiled languages, which greatly reducesSecurity. Anyone can access the site to obtain the source code, resulting in leakage of the source code of ASP applications.

4. ProgrammingSecurityHidden Danger

ASP code uses form to implement interaction with users, and the corresponding content is reflected in the address bar of the browser.SecurityAction: you only need to write down the content, you can bypass the verification and directly enter a page. For example, Page. asp? X = 1 "to directly access the page that meets the" x = 1 "condition without going through the form page. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.

Improve DatabaseSecurityBecause the Access database encryption mechanism is too simple, how to effectively prevent the Access database from being downloaded has become a solution to improve ASP + AccessSecurityIs the most important.

1. unconventional naming rules

A simple method to prevent a database from being found is to create a complex and unconventional name for the Access database file and store it in a multi-layer directory. For example, do not simply name the database files in an online bookstore as "book. mdb or store. mdb. mdb, and then put it in. /akkjj16t/kjhgb661/acd/avccx55 and other deep directories. In this way, some illegal Access methods can be used to obtain the Access database file name by means of guesses.

2. Use ODBC Data sources

In ASP programming, the ODBC data source should be used as much as possible. Do not write the database name directly in the program. Otherwise, the database name will be lost along with the password of ASP source code. For example:

      
       DBPath = Server.MapPath(“./akkjj16t/ 
       
kjhgb661/acd/avccx55/faq19jhsvzbal.mdb ”)
conn.Open “driver={Microsoft Access Driver (*.mdb)};dbq=” & DBPath

It can be seen that even if the database name is weird and the hidden directory is deep, the database is easily downloaded after the ASP source code is denied. If you use an ODBC data source, you will not have this problem: conn. open
ODBC-DSN name"

To effectively prevent ASP source code leakage, You can encrypt ASP pages. There are two methods to encrypt ASP pages. One is to use component technology to encapsulate programming logic into DLL; the other is to use Microsoft ScriptEncoder to encrypt ASP pages. I believe that the main problem with the use of component technology is that each segment of code must be componentized, so the operation is cumbersome and the workload is large. The use of ScriptEncoder to encrypt ASP pages is simple and has good results.

The Script Encoder method has many advantages:

1. HTML is still editable. ScriptEncoder only encrypts the ASP code embedded in the HTML page, and the rest remains unchanged, this makes it possible to use common webpage editing tools such as FrontPage or Dreamweaver to modify and improve the HTML part, but not to modify the ASP encrypted part. Otherwise, the file will become invalid.

2. Easy to operate. Just master several command line parameters. The running program of Script encoderis screnc.exe, which is used as follows:

      
       screnc [/s] [/f] [/xl] [/l defLanguage ] [/e defExtension] inputfile outputfile
      

The parameter meanings are as follows:

S: screen shielding;

F: Specifies whether the output file overwrites the input file with the same name;

Xl: whether to add the @ Language command to the top of the. asp file;

L: defLanguag specifies the default script language;

E: defExtension specifies the extension of the file to be encrypted.

3. You can encrypt files in batches. Use Script Encoder to encrypt all ASP files in the current directory, and output the encrypted files to the corresponding directory.

4. Script Encoder is a free software. The encryption software can be downloaded from the Microsoft website.

The Session object is used for registration verification. To prevent unregistered users from directly accessing the application system through the registration interface, the Session object can be used for registration verification. The biggest advantage of a Session object is that it can retain the information of a user so that subsequent web pages can be read. For example, design the registration page shown in 1.

After the user registration is successful, the system starts hrmis. asp? Page = 1 page. If the Session object is not used for registration verification, the user clicks "URL/hrmis. asp?" in the browser? Page = 1 "to bypass the registration interface and directly access the system. The Session object can effectively prevent this situation. The related program code is as follows:

      
       
<% 'Read the account and password entered by the user
       
UserID = Request ("UserID ")
Password = Request ("Password ")
'Check whether UserID and Password are correct (the actual program may be complicated)
If UserID <> "hrmis" Or Password <>
"Password" Then
Response. Write "Account Error !"
Response. End
End If
'Set the Session object to the verified status
Session ("Passed") = True
%>
After entering the application, first verify:
<% 'If the verification fails, the Login status is returned.
If Not Session ("Passed") Then
Response. Redirect logs login.htm"
End If
%>

(T003)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.