TIPS: security risks and Countermeasures of ASP + Access

TIPS: security risks and Countermeasures of ASP + Access-Linux Enterprise applications-Linux Server Applications. With the development of Internet, Web technology is changing with each passing day. Following the general Gateway Interface (CGI), "ASP" (Active Server Pages) is a typical Server-side web page design technology, it is widely used in Internet applications such as online banking, e-commerce, and search engines. At the same time, as a desktop database system launched by Microsoft with the standard JET engine, Access database has a large user base due to its simple operation and user-friendly interface. Therefore, ASP + Access has become the preferred solution for many small and medium-sized online application systems. However, the ASP + Access solution brings us both convenience and security issues that cannot be ignored.

ASP + Access security hazards ASP + Access the main security hazards of the solution come from the security of the Access database, followed by security vulnerabilities in the ASP Web page design process.

　　 1. storage risks of Access databases

In the ASP + Access application system, if you obtain or guess the storage path and name of the Access database, the database can be downloaded to the local device. For example, for the Access database of an online bookstore, people generally name it book. mdb, store. mdb, and the storage path is generally "URL/database" or simply put under the root directory ("URL. In this way, you can easily download store. mdb to a local machine by entering the URL/database/store. mdb in the address bar of your browser.

　　 2. Potential decryption risks of Access databases

Because the encryption mechanism of the Access database is very simple, it is easy to decrypt even if a password is set for the database. The database system forms an encryption string by comparing the password entered by the user with a fixed key, and stores it in *. the mdb file is located in the region starting with the address "& H42. Because an exclusive operation is characterized by "restoring the original value after two exclusive operations", this key is used *. when the encrypted string in the mdb file is used for the second operation, you can easily obtain the password of the Access database. Based on this principle, you can easily compile a decryption program.

Therefore, no matter whether or not the database password is set, as long as the database is downloaded, its information is not secure.

　　 3. Source Code Security Risks

ASP programs use non-compiled languages, which greatly reduces the security of program source code. Anyone can access the site to obtain the source code, resulting in leakage of the source code of ASP applications.

　　 4. Security Risks in programming

ASP code uses form to implement interaction with users, and the corresponding content is reflected in the address bar of the browser. If appropriate security measures are not used, just write down the content, you can directly access a page without authentication. For example, Page. asp? X = 1 "to directly access the page that meets the" x = 1 "condition without going through the form page. Therefore, special measures must be taken to avoid such problems when designing verification or registration pages.

Improving database security because the Access database encryption mechanism is too simple, how to effectively prevent Access databases from being downloaded has become the top priority to improve the security of ASP + Access solutions.

1. unconventional naming rules

A simple method to prevent a database from being found is to create a complex and unconventional name for the Access database file and store it in a multi-layer directory. For example, do not simply name the database files in an online bookstore as "book. mdb or store. mdb. mdb, and then put it in. /akkjj16t/kjhgb661/acd/avccx55 and other deep directories. In this way, some illegal Access methods can be used to obtain the Access database file name by means of guesses.

2. Use ODBC Data sources

In ASP programming, the ODBC data source should be used as much as possible. Do not write the database name directly in the program. Otherwise, the database name will be lost along with the password of ASP source code. For example:

DBPath = Server. MapPath ("./akkjj16t/

Kjhgb661/acd/avccx55/faq19jhsv zbal. mdb ")

Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath

It can be seen that even if the database name is weird and the hidden directory is deep, the database is easily downloaded after the ASP source code is denied. If you use an ODBC data source, the following issues will not occur:

Conn. open ODBC-DSN name"

To effectively prevent ASP source code leakage, You can encrypt ASP pages. There are two methods to encrypt ASP pages. One is to use component technology to encapsulate programming logic into DLL; the other is to use Microsoft Script Encoder to encrypt ASP pages. I believe that the main problem with the use of component technology is that each segment of code must be componentized, the operation is cumbersome, and the workload is large; and the use of Script Encoder to encrypt ASP pages, the operation is simple and the results are good.

The Script Encoder method has many advantages:

1. HTML is still editable. Script Encoder only encrypts the ASP code embedded in the HTML page, and the rest remains unchanged, this makes it possible to use common webpage editing tools such as FrontPage or Dreamweaver to modify and improve the HTML part, but not to modify the ASP encrypted part. Otherwise, the file will become invalid.
　　
2. Easy to operate. Just master several command line parameters. The running program of Script encoderis screnc.exe, which is used as follows:

Screnc [/s] [/f] [/xl] [/l defLanguage] [/e defExtension] inputfile outputfile

The parameter meanings are as follows:

S: screen shielding;

F: Specifies whether the output file overwrites the input file with the same name;

Xl: whether to add the @ Language command to the top of the. asp file;

L: defLanguag specifies the default script language;

E: defExtension specifies the extension of the file to be encrypted.

3. You can encrypt files in batches. Use Script Encoder to encrypt all ASP files in the current directory, and output the encrypted files to the corresponding directory. For example:

Screnc *. asp c: \ temp

4. Script Encoder is a free software. The encryption software can be downloaded from the Microsoft Website:

Http://msdn.microsoft.com/script... oad/x86/sce10en.exe. After the download, run and install.

Registration and verification using Session objects

To prevent unregistered users from directly accessing the application system through the registration interface, you can use the Session object for registration verification. The biggest advantage of a Session object is that it can retain the information of a user so that subsequent web pages can be read. For example, design the registration page shown in 1.

After the user registration is successful, the system starts hrmis. asp? Page = 1 page. If the Session object is not used for registration verification, the user clicks "URL/hrmis. asp?" in the browser? Page = 1 "to bypass the registration interface and directly access the system. The Session object can effectively prevent this situation. The related program code is as follows:

<% 'Read the account and password entered by the user

UserID = Request ("UserID ")

Password = Request ("Password ")

'Check whether UserID and Password are correct (the actual program may be complicated)

If UserID <> "hrmis" Or Password <>

"Password" Then

Response. Write "Account Error !"

Response. End

End If

'Set the Session object to the verified status

Session ("Passed") = True

%>

After entering the application, first verify:

<% 'If the verification fails, the Login status is returned.

If Not Session ("Passed") Then

Response. Redirect logs login.htm"

End If

%>