Security risks and Countermeasures of ASP + Access

With the development of Internet, web technology is changing with each passing day. Following the general Gateway Interface (CGI), "ASP" (Active Server Pages) is a typical
Server-side web page design technology is widely used in Internet applications such as online banking, e-commerce, and search engines. At the same time, access database as micro
The Soft Release of the standard jet engine desktop database system, because of its simple operation, user-friendly features, has a large user base. Therefore, ASP +
Access has become the preferred solution for many small and medium-sized online application systems. However, the ASP + Access solution brings us convenience, but also brings
Security issues.
Security risks of ASP + Access
The main security risks of ASP + access solutions come from the security of access databases, followed by security vulnerabilities in ASP Web design.
1. storage risks of access databases
In the ASP + Access application system, if you obtain or guess the storage path and name of the Access database, the database can be downloaded to the local device. Example
For example, access databases in online bookstores are generally named book. MDB and store. mdb, while the storage path is generally "url/Database" or
It is stored in the root directory ("url. In this way, you only need to enter the address "url/database/store. mdb" in the browser address bar, you can easily
Store. mdb is downloaded to a local machine.
2. Potential decryption risks of access databases
Because the encryption mechanism of the Access database is very simple, it is easy to decrypt even if a password is set for the database. The Database System
Code is different from a fixed key to form an encrypted string and store it in the *. MDB file in the region starting from the address "& h42. Due to an exception or operation
The feature is that the original value is restored after two exclusive or exclusive operations. Therefore, you can use this key to perform the second exclusive or operation with the encrypted string in the *. MDB file.
Obtain the password of the Access database. Based on this principle, you can easily compile a decryption program.
Therefore, no matter whether or not the database password is set, as long as the database is downloaded, its information is not secure.
3. Source Code Security Risks
ASP programs use non-compiled languages, which greatly reduces the security of program source code. Anyone can access the site to obtain the source code.
The source code of ASP applications is exposed.
4. Security Risks in programming
ASP code uses form to implement interaction with users, and the corresponding content is reflected in the address bar of the browser. If appropriate security measures are not used
If you write down the content, you can go to a page without verification. For example, Page. asp? X = 1 ".
On the single page, go to the page that meets the "x = 1" condition. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.
Improve database security
Because the ACCESS database encryption mechanism is too simple, how to effectively prevent the access database from being downloaded has become a security enhancement for ASP + access solutions
Is the most important.
1. unconventional naming rules
A simple method to prevent a database from being found is to create a complex and unconventional name for the ACCESS database file and store it in a multi-layer directory. For example
Do not simply name the database files in the bookstore as "book. mdb" or "store. mdb", but rather an unconventional name, for example:
Faq19jhsv zbal. MDB and put it in a deep directory such as./akkjj16t/kjhgb661/ACD/avccx55. In this way
Obtaining the illegal access method of the Access database file name effectively blocks the access.
2. Use ODBC Data sources
In ASP programming, ODBC data sources should be used as much as possible. Do not write the database name directly in the program. Otherwise, the database name will be unique with the password of ASP source code.
Same password failure. For example:
Dbpath = server. mappath ("./akkjj16t/
Kjhgb661/ACD/avccx55/faq19jhsv zbal. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath
It can be seen that even if the database name is weird and the hidden directory is deep, the database is easily downloaded after the ASP source code is denied. If you use ODBC Data
Source, there will be no such problem:
Conn. Open ODBC-DSN name"
Encrypt ASP pages
To effectively prevent ASP source code leakage, You can encrypt ASP pages. There are two methods to encrypt ASP pages. One is to use component technology to program
The logic is encapsulated into the DLL; the other is to use Microsoft Script encoder to encrypt ASP pages. I believe that the main problems with component technology exist
Each code segment must be componentized. The operations are cumbersome and heavy. However, the script encoder is used to encrypt ASP pages, which is simple and effective.
The script encoder method has many advantages:
1. html is still editable. Script encoder only encrypts the ASP code embedded in the HTML page, and the rest remains unchanged, which makes us
You can still use frequently-used webpage editing tools such as FrontPage or Dreamweaver to modify and improve the HTML part, but you cannot fix the ASP encryption part.
Otherwise, the file becomes invalid.
2. Easy to operate. Just master several command line parameters. The running program of script encoderis screnc.exe, which is used as follows:
Screnc [/S] [/F] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile
The parameter meanings are as follows:
S: screen shielding;
F: Specifies whether the output file overwrites the input file with the same name;
XL: whether to add the @ language command to the top of the. asp file;
L: deflanguag specifies the default script language;
E: defextension specifies the extension of the file to be encrypted.
3. You can encrypt files in batches. Use script encoder to encrypt all ASP files in the current directory and output the encrypted files
Directory. For example:
Screnc *. asp C:/temp
4. Script encoder is a free software. The encryption software can be downloaded from the Microsoft Website:
Http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After the download, run and install.
Registration and verification using session objects
To prevent unregistered users from directly accessing the application system through the registration interface, you can use the session object for registration verification. The biggest advantage of a session object is that
The user's information can be retained for subsequent webpage reading. For example, design the registration page shown in 1.

Figure 1 registration page
After the user registration is successful, the system starts HRMIS. asp? Page = 1 page. If the session object is not used for registration verification
"Url/HRMIS. asp? Page = 1 "to bypass the registration interface and directly access the system. The Session object can effectively prevent this situation. RELATED PROCESSES
The Code is as follows:
<%
'Read the account and password entered by the user
Userid = request ("userid ")
Password = request ("password ")
'Check whether userid and password are correct (the actual program may be complicated)
If userid <> "HRMIS" or password <>
"Password" then
Response. Write "Account Error !"
Response. End
End if
'Set the session object to the verified status
Session ("passed") = true
%>
After entering the application, first verify:
<%
'If the verification fails, the login status is returned.
If not SESSION ("passed") then
Response. Redirect "login. asp"
End if
%>