Security hazards and countermeasures for ASP + Access

zhaozj2021-02-16  47

With the development of the Internet, the Web technology has different new months. After the general gateway interface (CGI), "ACTIVE SERVER PAGES) is used as a typical server-side web design technology, which is widely used in various Internet applications such as online banking, e-commerce, search engines. At the same time, the Access database serves as a desktop database system that Microsoft's launched a standard JET as the engine, has a large user group due to the characteristics of simple operation, friendly interface. Therefore, ASP Access has become the preferred solution for many small and medium-sized online application systems. However, the ASP Access solution has brought us convenience, but also the security issues that cannot be ignored. ASP Access's security hazard ASP Access solution is the main security hazard from Access database security, followed by security vulnerabilities in the ASP web design. 1. Access database storage hidden dangers In the ASP Access application, if you get or guess the storage path of the Access database and the database name, the database can be downloaded to the local. For example: For the Access database of the online bookstore, people are generally named book.mdb, store.mdb, etc., and the stored path is generally "URL / Database" or simply placed under the root of the root ("URL /"). In this way, just type the address in the browser address bar: "URL / DATABASE / STORE.MDB", you can easily download the Store.mdb to the local machine. The decryption of Access database is very simple because the encryption mechanism of the Access database is very simple, so even if the database is set, it is easy to decrypt. The database system forms an encrypted string by dividing the user input password with a certain fixed key, and stores it in the address "& H42" in the * .mdb file. Since the different or operation is characterized by "two different or restore the original value", the ACCESS database can be easily obtained with this key with the encrypted string in the * .mdb file. Password. Based on this principle, the decryption program can be easily prepared. It can be seen that if the database password is set, it is not possible if the database is downloaded. 3. Safety risks of source code significantly reduce the security of program source code due to non-compiletable languages ​​in ASP programs. Anyone can get the source code as long as you enter the site, resulting in the disclosure of the ASP application source code. 4. Security risks ASP code in programming, using form (FORM) to implement functionality with users, and the corresponding content will be reflected in the browser's address bar, if appropriate security measures are not used, just write down these content, You can get rid of a page around the verification. For example, in the browser, "... Page.asp® X = 1" is knocked, you can directly enter the page that satisfies the "X = 1" condition without the form page. Therefore, when designing verification or registration pages, special measures must be taken to avoid such problems. Improve the security of the database Since the Access database encryption mechanism is too simple, how to effectively prevent the Access database from being downloaded, it has become the top priority of the ASP Access solution security. 1. Unconventional Nometry Preventing the database from finding a complicated unconventional name for the Access database file and stores it in multi-level directory.

For example, for database files on the online bookstore, don't simply name "BOOK.MDB" or "Store.mdb", but a unconventional name, such as FAQ19JHSVZBAL.MDB, then put it like ./ Akkjj16t / kJHGB661 / ACD / AVCCX55 is in deep catalogs. In this way, the illegal access method of the Access database file name is obtained for some ways to obtain the ACCESS database file name. 2. Using the ODBC Data Source In the ASP program design, try to use the ODBC data source as much as possible, do not write the database name directly in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code. For example: dbpath = server.mappath ("./ akkj16t / kJHGB661 / ACD / AVCCX55 / FAQ19JHSVZBAL.MDB") Conn.open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath is visible, even if the database The name is weird, the hidden directory is deep, and the database is also easily downloaded after the ASP source code is lost. If you use an ODBC data source, there is no problem: Conn.open "ODBC-DSN Name" encrypts the ASP page to effectively prevent ASP source code leaks, encrypts the ASP page. There are generally two ways to encrypt the ASP page. One is to use component technology to encapsulate programming logic into the DLL; the other is to encrypt the ASP page using Microsoft Script Encoder. The author believes that the main problem exists in the use of component technology is that each code needs to be a component, and the operation is more cumbersome and the workload is large; and the Script Encod is encrypted with the ASP page, the operation is simple, and good effect is good. The Script Encoder method has many advantages: 1.HTML still has good editable. Script Encoder only encrypts the ASP code embedded in the HTML page, which makes it remained unchanged, which makes us still use the common web editing tools such as FrontPage or Dreamweaver to modify the HTML section, but cannot be performed on the ASP encryption part. Modify, otherwise it will cause file failure. 2. Simple operation. Just master a few command line parameters. Script Encoder running program is Screnc.exe, which is as follows: Screnc [/ s] [/ f] [/ xl] [/ l deflanguage] [/ e defextension] InputFile OutputFile The parameters are as follows: S: Shield screen Output; f: Specifies whether the output file overwrites the same name input file; XL: Do you add a @language instruction at the top of the .asp file; l: deflanguag Specifies the default scripting language; E: Defextension specifies the extension of the file to be encrypted. 3. Encrypted files in batches. Using Script Encoder can encrypt all ASP files in the current directory and output encrypted files to the appropriate directory. For example: screnc * .asp C: / Temp 4. Script Encoder is a free software. The encryption software can download from Microsoft website: http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After download, run the installation.

转载请注明原文地址:https://www.9cbs.com/read-25273.html

New Post(0)