The safety hidden trouble and countermeasure of asp+access of Master's weapon

access|asp+| Safety | Safety hazard

With the development of Internet, web technology is changing with each passing day. After the Common Gateway Interface (CGI), "ASP" as a typical server-side web design technology, is widely used in online banking, E-commerce, search engines and other Internet applications. At the same time, as a desktop database system launched by Microsoft, the Access database has a large user base because of its simple operation and friendly interface. As a result, asp+access has become the preferred solution for many small and medium sized online application systems. But Asp+access solutions bring convenience to us, but also bring about security issues that cannot be neglected.

Asp+access Security Hidden Trouble asp+access The main security vulnerabilities of the solution are the security of Access database, followed by the security vulnerability in the design process of ASP Web pages.

1, Access database storage hidden trouble

In a asp+access application system, the database can be downloaded to local if it obtains or guesses the storage path and database name of the Access database. For example: For an Access database on an online bookstore, people are generally named Book.mdb, Store.mdb, and so on, while the stored path is generally "url/database" or simply placed under the root directory ("url/"). In this way, you can easily download Store.mdb to a local machine simply by typing the address in the browser's address bar: "Url/database/store.mdb".

2, Access database decryption hidden trouble

Because the encryption mechanism of an Access database is simple, decryption is easy even if the database has a password. The database system forms an encrypted string by *.mdb the password entered by the user with a fixed key, and stores it in the area from the address "&h42" in the file. The password for an Access database can be easily obtained by using this key with a second XOR or operation with the encrypted string in the *.mdb file, because the XOR or operation is characterized by a "two-time or on-restore of the original value". Based on this principle, the decryption program can be easily developed.

This shows that no matter whether the database password is set, as long as the database is downloaded, its information has no security to speak of.

3, the source code security hidden Trouble

Because the ASP program uses the non-compiler language, this greatly reduces the program source code security. Anyone who enters the site can get the source code, causing the source code of the ASP application to leak.

4, the security hidden Trouble in the program design

The ASP code uses form to realize the function that interacts with the user, and the corresponding content is reflected in the browser's address bar, if does not adopt the appropriate security measures, as long as takes down these content, can bypass the authentication to enter a page directly. For example, typing "... page.asp?x=1" in the browser, you can go directly to the page that satisfies the "x=1" condition without the form page. Therefore, when designing validation or registration pages, special measures must be taken to prevent such problems from occurring.

Improve the security of the database because Access database encryption mechanism is too simple, so how to effectively prevent Access database is downloaded, it becomes the most important to improve the security of asp+access solution.

1. Non-conventional Nomenclature method

An easy way to prevent a database from being found is to have a complex, unconventional name for an Access database file and store it in a multi-tiered directory. For example, for a database file on an online bookstore, do not simply name "Book.mdb" or "store.mdb", but rather an unconventional one, such as: Faq19jhsvzbal.mdb, and then put it in a./akkjj16t/kjhgb661/acd/ A deep directory like avccx55. In this way, some illegal access to the file name of an Access database can be effectively blocked by guessing.

2. Use ODBC data source

In ASP program design, should use ODBC data source as far as possible, do not write the database name directly in the program, otherwise, the database name will be compromised with the source code of the ASP. For example:

DBPath = Server.MapPath ("./akkjj16t/kjhgb661/acd/avccx55/faq19jhsvzbal.mdb") Conn. Open driver={microsoft Access Driver (*.mdb)};d bq= "& DBPath

Visible, even if the name of the database is again strange, hidden directory again deep, the ASP source code compromised, the database is also easy to download down. If you use an ODBC data source, there is no such problem: Conn.Open
"Odbc-dsn name"

Encrypt ASP pages to effectively prevent the leakage of ASP source code, you can encrypt ASP pages. There are generally two ways to encrypt an ASP page. One is to encapsulate programming logic into DLLs using component technology, and the other is to encrypt ASP pages using Microsoft's script encoder. The author thinks that the main problem of using component technology is that each piece of code needs to be modular, the operation is cumbersome, the workload is large, and the use of Script Encoder to encrypt ASP pages, simple operation and good results.

The Script encoder method has many advantages:

1.HTML is still well editable. The Script encoder only encrypts the ASP code embedded in the HTML page, and the rest remains the same, which makes it possible to modify and refine the HTML section using commonly used Web page editing tools, such as FrontPage or Dreamweaver. Only the ASP encryption section cannot be modified, or it will cause the file to fail.

2. Simple operation. Just master a few command-line arguments. The Script encoder is run by a screnc.exe, which is used in the following ways:

Screnc [/S] [f] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile

The parameter meanings are as follows:

S: Shielding screen output;

F: Specifies whether the output file overwrites the input file with the same name;

XL: Whether to add a @language directive at the top of the. asp file;

L:DEFLANGUAG Specifies the default scripting language;

e:defextension specifies the extension of the file to be encrypted.

3. You can encrypt files in bulk. Use the script Encoder to encrypt all ASP files in the current directory and to uniformly output the encrypted files to the appropriate directory.

4. Script encoder is free software. The encryption software can be downloaded from the Microsoft website.

With the session object for registration verification, in order to prevent unregistered users to bypass the registration interface directly into the application system, you can use the session object for registration verification. The biggest advantage of the session object is that you can keep a user's information for subsequent pages to read. For example, to design the registration page as shown in Figure 1.

The design requires the user to register successfully after the system starts the Hrmis.asp?page=1 page. If you do not use the Session object for registration verification, users in the browser typing "url/hrmis.asp?page=1" can bypass the registration interface, directly into the system. Using the session object can effectively prevent this from happening. The relevant program code is as follows:

<% ' read user entered account and password UserID = Request ("UserID") Password = Request ("Password") ' Check UserID and Password is correct (the actual program may be more complex) if U Serid <> "Hrmis" Or Password <> "Password" Then Response.Write "Account Error! "Response.End End If" Sets the session object to pass the validation status session ("passed") = True%> Enter the application, first verify: <% ' if not validated, return login status if not Session ("passed") Then Response.Redirect "login.htm" End If%>