The second Internet Guide: not estimated immediately win your site. As ASP's easy to use, more and more applications are Internet daemon ASP scripting language. However, the ASP security vulnerabilities inherent part of, a little carelessness will give hackers an opportunity to help. In fact, security is not only a network thing, in English you must also pay attention to details in some of the security, to develop good safety habits, or will own a huge Internet security risks. Currently, most of the ASP program on the Internet so that security holes are, but if programming time to note that the words, but also ... the text:
Prevention tips: check carefully before uploading process, delete unnecessary documents. BAK suffix of the document to be especially careful.
How better to prevent hacker attacks, personal mention independent individual opinion! NO · 1, non-profit, non-profit program can not really use, since you do not have results to share the original code, the attacker did not score the same plan. If attention to prevention in the details, so your site to greatly increase the resistance. Injection SQL database even if there is a kind of vulnerability, the attacker does not win you estimate the site immediately. Because of the easy to use, more and more applications are Internet daemon ASP scripting language. However, the ASP security vulnerabilities inherent part of, a little carelessness will give hackers an opportunity to help. In fact, security is not only a network thing, we must also pay attention to details in some of the security, to develop good safety habits, or will own a huge Internet security risks.Currently, most of the ASP program on the Internet so that security holes are, but if a little programming time to pay attention to the words, but that did not result to avoid.
1, the user name and password is compromised
Attack Thought: the user name and password, hackers are often most interested in the items, if in some way be seen pouring through the code, the consequences are significant.
Prevention tips: involving the user name and password the best package at the end of the procedure, as little as possible appear in the ASP documentation involved with the connected user name and password should be given minimal privileges. Many occurrences of a user name and password did not result in a position to write contest include hidden document. If involved with the database connection, under ideal conditions it is only the permissions to run the stored procedure, do not directly given to the user to correct, insert, delete records of the authority.
2, authentication is bypassed
Attack ideas: the current needs of the ASP program validated mostly in the head plus a judge PAGE statement, but not enough, there are estimated to be hackers to bypass the authentication directly into.
Prevention tips: demand proven ASPPAGE, can track the PAGE on a document name, and only come in from the previous dialogue turn PAGE to read the PAGE.
3, inc disclosure documents and difficult
Attack idea: when there is production of ASP's home page and do not stop before the final testing completed, no additional results are some of the mobile object for the Search. If this time was using Search engines look for this part of the stop, the document will be on the grade, and can view the database in place and the details of the framework, and to reveal the full stream of the code.
Prevention tips: programmers should be published in the website thoroughly before it is to stop debugging; security experts reinforced the need for external users ASP document can not see them. First. Inc encrypted document content to stop, then did not score applications. Documents instead. Inc document should be directly from the browser the user can view the document stream of code. inc document the default document name can not be applied or have special meaning easy to guess the name of the user, no rules apply as far as possible in English letters.
4, the automatic backup is downloaded
Attack idea: In some props editing ASP program, when the ASP to create or correct a document, Editor automatically creates a backup of documents, such as: UltraEdit will backup one. Bak document, as you create or corrected some. asp, Editor will automatically generate a document called some.asp.bak, if you do not delete the bak document, the attacker did not score a direct download some.asp.bak document, as some.asp the source will be downloaded.
Prevention tips: check carefully before uploading process, delete unnecessary documents. BAK suffix of the document to be especially careful.
5, a special char
Attack ideas: the input box is a hacker using the purpose of their No results through the input script language such as damage to the user client; if that involves data query input box, they will use a special query and get more database data, or even the entire table. Therefore necessary to filter out the input box to stop. However, if only in order to increase efficiency and legitimacy of the client stop the importation of inspection, there are estimated to be bypassed.
Prevention tips: dealing with a similar message boards, BBS, etc. in the input box of the ASP program, the best block out static pages, javaScript, VBScript statements, as no special requirements, not performance limited only enter letters and numbers, masked special char. At the same time the length of the input char stop control. And not only the legality of the client stop the importation of inspections at the process on the server side to stop a similar examination.
6, Database Download Vulnerability
Attack thoughts: In with the Access database to do the background, if someone through a variety of tips to understand or guess the server's Access database path and database name, then he can download the Access database, document, which is unusual dangerous.
Prevention tips:
(1) the name of your database documentation for unusual from a complex regulation of the name, and put it under layers of the list. The so-called "extraordinary rules", so to speak, for example there is a database to save information about books, can not give it a "book.mdb" name, but to play a strange name, such as d34ksfslf.mdb, and put it on as ./kdslf/i44/studi / the layers list, so after a hacker in order to guess the way to get your Access database document to more difficult.
(2) The database name can not be written in the program. Some people like to write the DSN in the program, such as:
DBPath = server. MapPath ("cmddb.mdb")
conn.Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath
conn.Open "driver = {Microsoft Access Driver (*. mdb)}; dbq =" & DBPath
If in case people got the source, the name of your Access database to a glance. Therefore, in the opinion set your ODBC data source, and then write in the program as:
conn.open "webjxcom"
(3) Application Access to the database document coding and encryption. First, the "props → Security → Encryption / decryption database", select the database (such as: employer.mdb), and then click OK, then there will be "encrypted database, Save As" window can be saved as: "employer1.mdb" .
It should be noted that the above action does not set a password as the database, but only on the database to be encoded document, the purpose is to prevent other applications other props to view the content of the document database.
Then we as database encryption, encoding the first open after the employer1.mdb, when opened, select the "monopoly" approach. Then select the menu "prop → Security → Set Database Password", then enter the password. That even if the others were employer1.mdb documents without a password can see he is employer1.mdb content.
7, injection attacks against remote
Such attacks in the past should be the battle against the daily knowledge of methods, such as POST attack, the attacker did not score easily change the data value has to be submitted to attack purposes. Another example: COOKIES forgery, was the fuse that more value writers, or the attention, do not apply COOKIES method for the user authentication, or you and the thief left the keys to the same reason.
For example:
If trim (Request. cookies ("utitle "))=" fqy" and Request.cookies ("upwd") = "fqy # e3i5.com" then
... ... .. Abundance ... ... ...
End if
... ... .. Abundance ... ... ...
End if
I think you like the Internet regulators to write the program or do not make such mistakes buddy, really is unforgivable. Forged COOKIES are more young people, and you also used to blame other people like to run your password. Involves to the user's password or user login, you best use it is the most secure session. If you want to apply COOKIES COOKIES in your message on one more, SessionID, which is 64-bit random value, we must guess solution It is not estimated. Example:
if not (rs.BOF or rs.eof) then
login = "true"
Session ("usertitle" & sessionID) = Usertitle
Session ("passexpress" & sessionID) = Passexpress
'Response.cookies ("usertitle") = Usertitle
'Response.cookies ("Passexpress") = Passexpress
login = "true"
Session ("usertitle" & sessionID) = Usertitle
Session ("passexpress" & sessionID) = Passexpress
'Response.cookies ("usertitle") = Usertitle
'Response.cookies ("Passexpress") = Passexpress
Here we talk about how to prevent remote injection attacks, attacks are usually single table to submit documents to the local drag, the Form ACTION = "chk.asp" to point to your server documentation to process the data. If all your data filter out pages in a single table, then congratulations, you will have been scripting attack.
How can stop that kind of long-range attack? Easy to handle, see the source code is as follows: The body of (9)
<%
server_v1 = Cstr (Request. Server Variables ("HTTP_REFERER"))
server_v2 = Cstr (Request. Server Variables ("SERVER_NAME"))
if mid (server_v1, 8, len (server_v2)) <> server_v2 then
response.record "
"
response.record ""
response.record "the wrong path you submit, submitted against the data from an external site, please change the parameters can not be chaos!"
response.record ""
response.end
end if
%>
'Feeling independent individual filter out the source code above is not as good, some of the external submission and she was upright in, then write one.
'That is to filter out good results, opinions applications.
if instr (request.servervariables ("http_referer "),"")) <1 then response.record" server error when processing URL.
If you are using any means to attack a server, you should be glad, for your server, all operations have been recorded, we will NO · 1 notice to the Public Security Bureau and the English department to check your IP. "
response.end
end if
server_v1 = Cstr (Request. Server Variables ("HTTP_REFERER"))
server_v2 = Cstr (Request. Server Variables ("SERVER_NAME"))
if mid (server_v1, 8, len (server_v2)) <> server_v2 then
response.record "
response.record ""
response.record "the wrong path you submit, submitted against the data from an external site, please change the parameters can not be chaos!"
response.record ""
response.end
end if
%>
'Feeling independent individual filter out the source code above is not as good, some of the external submission and she was upright in, then write one.
'That is to filter out good results, opinions applications.
if instr (request.servervariables ("http_referer "),"")) <1 then response.record" server error when processing URL.
If you are using any means to attack a server, you should be glad, for your server, all operations have been recorded, we will NO · 1 notice to the Public Security Bureau and the English department to check your IP. "
response.end
end if
No comments:
Post a Comment