Vulnerability decomposition and intrusion prevention methods for ASP Web sites

How to better achieve the prevention of hacker attacks, I mention personal views! First, the free program does not really have a fee, since you can share the original code, then the attacker can analyze the code. If you pay attention to precautions in detail, your site's security will be greatly improved. Even if there are vulnerabilities such as SQL injection, attackers will not be able to take your site immediately.

Due to the ease of use of ASP, more and more Web site background programs are using ASP scripting language. However, because the ASP itself has some security vulnerabilities, a little careless will provide the opportunity for hackers. In fact, security is not only a matter of network management, programmers must also be aware of certain security details, develop good safety habits, otherwise it will bring huge security risks to their website. At present, most of the ASP programs on the site have such a security vulnerability, but if you write a program to pay attention to, it can be avoided.

1, user name and password is cracked

Attack principle: User name and password, is often the most interesting thing to hackers, if the source code is seen in some way, the consequences are serious.

Prevention Tips: The user name and password procedures are best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum permissions. The number of times a user name and password can be written in a more hidden file containing files. If you are connected to a database, and in an ideal state only give it permission to execute a stored procedure, do not give the user permission to modify, insert, or delete records directly.

2. Verification is bypassed

Attack principle: Now need to verify the ASP program is mostly in the page head plus a judgment statement, but this is not enough, there may be hackers bypass the verification of direct access.

Prevention tips: Need to verify the ASP page, you can track the file name of the previous page, only from the previous page into the session to read this page.

3, Inc. file leakage problem

Attack principle: When the ASP's home page is being made and no final debugging is done, it can be added as a search object by some search engine maneuver. If someone uses a search engine to find these pages, they will be able to locate the files and see the details of the database location and structure in the browser, revealing the complete source code.

Precautions: Programmers should thoroughly debug a Web page before it is released; security experts need to harden the ASP files so that external users cannot see them. The. inc file content is encrypted first, and then the. asp file can be used instead of the. inc file to make it impossible for users to view the source code of the file directly from the browser. The file name of the INC file does not use the system default or has special meaning easily guessed by the user name, try to use the English alphabet without rules.

4, automatic backup is downloaded

Attack principle: In some tools to edit ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file, such as: UltraEdit will back up a. bak file, if you create or modify the some.asp, the editor will Automatically generate a call Some.asp.bak file, if you do not delete this Bak file, the attacker can directly download Some.asp.bak file, so that the some.asp source program will be downloaded.

Defensive tip: Before uploading a program, check it carefully and delete unnecessary documents. Be especially careful about files that are suffix to bak.

5. Special characters

Attack principle: The input box is a target that the hacker exploits, they can cause damage to the user's client by inputting the scripting language, etc. if the input box involves a data query, they can get more database data, even all of the tables, using special query statements. The input box must therefore be filtered. However, it is possible to bypass the validation of input legality only at the client side to improve efficiency.

Prevention skills: In the processing of similar message boards, BBS, such as input boxes in the ASP program, it is best to shield off HTML, JavaScript, VBScript statements, if no special requirements, you can limit the number of letters and numbers, to block out special characters. The length of the input character is also limited. And not only in the client to enter the legality of the check, but also in the server-side program to do similar checks.

6. Database Download Vulnerability

How it works: When you use Access as a background database, it is dangerous to have someone who knows or guesses the path and database name of the server's Access database in a variety of ways.

Prevention Tips:

(1) Make a complex, unconventional name for your database file name and place it in a few layers of directory. The so-called "unconventional", for example, there is a database to keep the information about the book, but do not give it a "book.mdb" name, but to have a strange name, such as D34ksfslf.mdb, and put it in such as./kdslf/i44/studi/ , so it's even harder for hackers to get your Access database files in a guessing way.

(2) Do not write the database name in the program. Some people like to write DSN in a program, such as:

DBPath = Server.MapPath ("Cmddb.mdb")
Conn. Open driver={microsoft Access Driver (*.mdb)};dbq= & DBPath

　　
If you get a source program, your Access database's name is in a glance. Therefore, it is recommended that you set up a data source in ODBC and then write it in the program:

Conn.Open "Shujiyuan"

　
(3) Use Access to encode and encrypt the database files. First in the "tools → security → encryption/decryption database," Select the database (such as: Employer.mdb), and then press OK, then the "Database encryption Save as" window, can be saved as: "Employer1.mdb."

Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.

Next we encrypt the database, first open the encoded Employer1.mdb, and when it is open, select Exclusive. Then select the function table "tools → security → Set database Password", and then enter the password. So even if someone gets the Employer1.mdb file, he can't see the contents of Employer1.mdb without a password.

7. Prevent remote injection attack

Such attacks should have been a more common form of attack in the past, post attacks, for example, allow an attacker to arbitrarily change the data value to be submitted for the purpose of the attack. Another example: The forgery of COOKIES, which is more worthy of the attention of the program writer or webmaster, do not use COOKIES as a way to authenticate users, Otherwise you and the key to leave the thief is the same reason.

Like what:

If trim (Request. Cookies ("uname")) = "Fqy" and Request.Cookies ("upwd") = "fqy#e3i5.com" Then
... more ..........
End If

I think you webmaster or like to write a program of friends do not make such a mistake, is really unforgivable. How many years have you been faking cookies, you can't blame someone else for running your password. When it comes to user passwords or when users log in, you'd better use session It's the safest. If you want to use cookies to add a message to your cookies, SessionID, its random value is 64 digits, to guess it, impossible. Example:

If not (Rs. BOF or rs.eof) then
Login= "true"
Session ("username" &sessionid) = Username
Session ("Password" & sessionID) = password
' Response.Cookies ("username") = Username
' Response.Cookies ("Password") = Password

　　
Now let's talk about how to protect against remote injection attacks, the general attack is to drag the Tanku commit file to the local, the form action= "chk.asp" point to your server to process the data file. If all your data filters are on a single sheet, then congratulations, you will have been attacked by the script.

How can we stop such a remote attack? Okay, see the code is as follows: Program Body (9)

　　
<%
Server_v1=cstr (Request.ServerVariables ("Http_referer"))
Server_v2=cstr (Request.ServerVariables ("SERVER_NAME"))
If Mid (Server_v1,8,len (SERVER_V2)) <>server_v2 Then
Response.Write "<br><br><center>"
Response.Write ""
Response.Write "You submitted the wrong path, prohibit the submission of data from outside the site please do not change the parameters!" "
Response.Write ""
Response.End
End If
%>

' Personal feeling the above code filtering is not very good, there are some external submission unexpectedly still can come in upright, so write another.

' This is a good filtration effect and is recommended for use.

　　
If InStr (Request.ServerVariables ("Http_referer"), "http://" &request.servervariables ("host") <1 Then Response.Write An error occurred on the server while processing the URL.

If you are using any means to attack the server, then you should be glad that all of your operations have been recorded by the server, we will be the first time to inform the Public Security Bureau and the National Safety department to investigate your IP. "

　　
Response.End
End If

　　
Program Body (9)

I thought this would be all right, add some restrictions on the form page, such as MaxLength, etc... But the weather is so not the case, the more you are afraid of what he is more and more. You don't forget that an attacker could limit the length of the input box in an SQL injection attack. Write a socket program to change the Http_referer? I won't. Published on the internet such an article:

------------Len.reg-----------------
Windows Registry Editor Version 5.00
[hkey_current_user\software\microsoft\internet explorer\menuext\ Extension (&e)]
@= "C:\Documents and settings\administrator\ desktop \len.htm"
"Contexts" =dword:00000004
-----------End----------------------
-----------len.htm------------------
----------End-----------------------

　　
Usage: First import the Len.reg into the registry (note the file path)

Then copy the len.htm to the specified location in the registry.

Open the Web page, the cursor on the input box to change the length of the right button, see more than a call to expand the option

Click Finish! PostScript: The same can be used to deal with those restrictions on the content of the script.

What to do? Our restrictions have been spared, and all our efforts have been wasted? No, raise your de keyboard and say no. Let's go back to the filtering of the script characters, and the injection is nothing more than a script attack. We have all the energy to use the page after the action, in the Chk.asp page, we will all the illegal characters filtered out, the result? We only feint in front, ask them to change the registration form, when they are finished, they will find that they have done is so futile.

8, ASP Trojan

Already mentioned here, and then remind the Forum Webmaster A sentence, carefully your file upload: Why the Forum program was compromised after the host is also occupied by the attackers. The reason is ... Right! ASP Trojan! An absolutely hateful thing. A virus? It's not the same. Put a file in your forum program, you always look for it. Don't spit blood is strange oh. How can you prevent ASP Trojans from being uploaded to the server? The method is very simple, if your forum support file upload, please set the file format you want to upload, I do not agree with the use of the file format can be changed, directly from the program to lock, only image file format, and compressed files can be completely, more to their own convenience is more convenient for the attackers to leave a little easier. How to judge the format, I collected here A, also changed a, we can look at:

Program Body (10)

' Determine if the file type is qualified
Private Function Checkfileext (fileext)
Dim forumupload
Forumupload= "Gif,jpg,bmp,jpeg"
Forumupload=split (Forumupload, ",")
For i=0 to UBound (forumupload)
If LCase (fileext) =lcase (Trim (forumupload (i)) then
Checkfileext=true
Exit Function
Else
Checkfileext=false
End If
Next
End Function
' Validate the legality of the contents of the file
Set MyFile = Server. CreateObject ("Scripting.FileSystemObject")
Set MyText = Myfile.opentextfile (sfile, 1) ' reads a text file
Stextall = LCase (mytext.readall): Mytext.close
' To judge dangerous actions in user files
SSTR = "8 getfolder. CreateFolder DeleteFolder. CreateDirectory
. DeleteDirectory "
SSTR = sStr & ". SaveAs Wscript.Shell Script.encode"
snostring = Split (SStr, "")
For i = 1 to snostring (0)
If InStr (Stextall, Snostring (i)) <> 0 Then
Sfile = Upl.path & Sfilesave:fs. DeleteFile Sfile
Response.Write "<center><br><big>" & Sfilesave & "files contain commands related to the Operation directory" &_
"<br><font color=red>" & Mid (Snostring (i), 2) & "&LT;/FONT&GT;,<b> cannot be uploaded for security reasons. <b> "&_" </big></center>Response.End
End If
Next
Add them to your upload program to do a validation, then your upload program security will be greatly improved.

What the? You still don't trust me? Take out the killer, ask your virtual hosting provider to help. Log on to the server and rename or delete the "shell.application" and "Shell.application.1" items in the prog ID. And then "WSCRIPT." SHELL "Items and" WSCRIPT. SHELL.1 "Both should be renamed or deleted. Oh, I can boldly say that the domestic probably more than half of the virtual host has not changed. Can only rejoice that your user very cooperates, otherwise ... I delete, i delete, i delete delete ...