ASP Network Security Manual (1)
[Author: Unknown Add Time: 2001-5-26 11:52:29]
Source: www.cpcw.com One Preface Microsoft Active Server Pages (ASP) is a server-side script writing environment that uses it to create and run dynamic, interactive web server applications. Use ASP to combine HTML pages, scripting commands, and ActiveX components to create an interactive web page and web-based power-based applications. Nowadays, many websites, especially the e-commerce website, mostly used ASP on the front desk. So now ASP is very common on the website application. ASP is a quick tool for developing website applications, but some webmasters only see the rapid development capabilities of ASP, but ignore ASP security issues. The ASP has been subject to many vulnerabilities, the pain of the latter, including the nightmare of% 81, password verification, IIS vulnerability, etc. have always made the ASP website developers have been shocked. This article tries from an Operating system vulnerability and ASP program itself, and explains the ASP security issues, and gives a solution or suggestion. Two keywords ASP, network security, IIS, SSL, encryption. The three ASP work mechanism Active Server Page technology provides the application developers with scripting intuitive, fast, and efficient application development methods, which greatly improves the development of the development. Let's take a look at how the ASP works before discussing the security issues of ASP. The ASP script is written in a plain text. The ASP script is a file that is written in a text format that is composed of a script that is mixed with a standard HTML page in a series of specific symphony (currently supporting VBScript and JScript two scripting languages). When the client's end user uses a web browser to access an ASP script-based app, the web browser will send an HTTP request to the Web server. Web server analysis, judging that the request is an application of the ASP script, and automatically calls the ASP script to interpret the ASP script through the ISAPI interface. Asp.dll will get the specified ASP script file from the file system or internal buffer, then perform syntax analysis and explain it. The final processing result will form the contents of the HTML format, return to the web browser through the web server "original road", and the final result is presented by the web browser to the client. This completes a complete ASP script call. Several organic ASP script calls form a complete ASP scripting application. Let's take a look at the environment you need to run the ASP: Microsoft Internet Information Server 3.0 / 4.0 / 5.0 ON NT Server Microsoft Internet Information Server 3.0 / 4.0 / 5.0 on Win2000 Microsoft Personal Web Server On Windows 95/98 Windows NT Option Pack Microsoft IIS provides powerful features, but IIS is more dangerous in network security. Because few people will use Windows 95/98 as the server, this article I will discuss from the IIS security issues in NT. Safety Advantages of Siwei Soft Solites ASP Although the focus of our paper is to explore the ASP vulnerability and the back door, it is necessary to talk about the "advantage" of ASP in network security, "" because sometimes these Microsoft claims " Advantages "is precisely its security hidden. Microsoft said that ASP is a major advantage in network security. It is that users cannot see ASP's source programs. From ASP, the ASP executes and interprets a standard HTML statement to the client browser.
"Shield" source can maintain the copyright of the ASP developer. Imagine that you have made a very good process, give people any Copy, what do you think? And hackers can also analyze your ASP program and pick out the vulnerability. More importantly, some ASP developers like to write passwords, privileged usernames and paths directly in the program, so others can find the "entrance" of the attack system through guessing code, guess the path. However, many vulnerabilities that can view the ASP source program have been discovered, and we will also discuss it later. IIS supports virtual directory, manage virtual directories by "Directory" tab in the Server Properties dialog. Establishing a virtual directory is very important for managing Web sites. The virtual directory hides important information about the site directory structure. Because the customer can obtain the file path information of the page by selecting "View Source Code", it is easy to obtain the file path information of the page. If you use the physical path in the web page, you will expose important information about the site directory, which is easy to cause the system to be attacked. . Second, as long as the two machines have the same virtual directory, you can move the web page from one machine from one machine without any changes to the page code. Also, when you place a web page in a virtual directory, you can set different properties to your directory, such as: Read, Excute, Script. Read Access Indicates that directory content is passed from IIS to your browser. The execution of access can perform executable files in this directory. When you need to use the ASP, you must set the directory of the .asp file to "Excute". It is recommended that when you set up a Web site, place the HTML file with the ASP file in different directories, then set the HTML subdirectory to "Read", set the ASP subdirectory to "Execute", which is not only convenient for web. Manage, and most importantly improve the security of the ASP program to prevent program content from being accessed by the customer. Next 8
related information:
-
Use ASP technology in Flash
-
Two solutions to the ASP Chinese display
-
The impact of ASP data type on software performance
-
Establish a website map with ASP
-
Profile using VC 6.0 production ASP Server Control