The hacker attacks a website, the fastest means, often uses the CGI script vulnerability, injects the database statement, directly enter the website, and the effect is quite good. If a website is being broken, the information inside will be a view, and it will be devastated to the website with important information.
ASP has been popular online for a long time, but safety is still very poor. Now the piano roots are self-practicing, talking about how to safely verify the landing form, many beginners like to verify using the client, this is a little better to understand web design People who know, simply shameless, so we have to verify on the server side. Although the following methods are for the ASP script, actually apply to most interactive scripts, just ASP is most highlighted.
1. Verify the format. If you ask for numbers, it is necessary to verify that the content is numbering; email format, there is an email to fill in the regular. If you need to fill, you want to verify whether it is empty. This is very basic security verification, or a little security script, but actually is still unsafe.
2, limit the length of the character, can not be too short, no longer too long. If the length is not allowed to fill in the length, the light will affect the beauty of the website, and the heavy people will cause unforeseen security hazards on the website, sometimes causing the crash of the system, which is a bit like overflow attack. This is very dangerous if the filler fills in a very long content and exceeds the length you can handle. For websites supported by the database, especially the ACCESS small database, the length of the field is returned, and these error messages often expose the database path, and the hacker will use the data library to take information. The result is an unimaginable. Using the LEN function to calculate the length, beyond the predetermined length, the server stops execution (response.end), or takes only the previous characters.
3. Disable special characters, HTML, DHTML, JS, VB scripts in the submission, and prevent database injection because of these scripts and characters, often the ASP script executable characters, so that the server executes the submitted text, very Danger! In the previous forums and chat rooms, the prank uses HTML and JS code to let visitors on the computer countless windows, causing crash! It is also possible to steal passwords, run "mixed", you are not terrible? Ha ha. . . It's just that the client is attacking, the most terrible or the security of the server. Hackers often use special characters vulnerabilities to enter the site. A typical example is to use [= Name "or" name <> 123] this syntax to defraud the server, so that the database performs the SQL statement. We must ban visitors from using the above characters, remove, replace, etc., many forums use UBB code, this is a good choice.
4, limit the number of error logins. This method, the guest called "Snail Protection System" This is the most commonly used security technique of banking, telecommunications and other departments. Due to historical reasons, these sectors often use less than 6 digits to do passwords, which is simply too fragile in the network era, just a computer, just run all passwords in a short time. So they use the "snail protection system" method. As long as the error is lost 3 times, the card cannot withdraw money, as long as the error is lost 3 times, the mobile phone SIM card is automatically locked. When we design an ASP interactive website, we can use this approach. As long as the limit is exceeded, the relevant account cannot be used. Prevent attackers from running passwords using software, enter the site.
5. Verify this method is mainly to prevent running passwords, and verify password verification. Use the RND function to generate, and use session to verify, so it will be safe, do not use the Hidden form. Now this method verifies that the password is more and more. 6. After the limitation time is sometimes the operator enters the website, so that the window will be illegally entered the system by other operators. Using operational time limit, it can prevent this, and the service is terminated after the time is timeout. Use the session in ASP.
7. Verify that access to the road can be prevented from generating sessions on a self-website or computer to defraud security verification. Requests for abnormal pages will not be executed.
8, log management, record the operator's operation. Record the operator's operation, so you can fix the vulnerability at any time.
9. Encrypt the database, path, script, disable unsafe components, and patches system security vulnerabilities. Although this is not a safety issue for submitting a form, it is clear that security vulnerabilities is clearly inextricably. There are many ways, no longer profit.
10, prevent back or browser cache web content. Similar to the 6th point, the content of preventing operation browsing is illustrated by the illegal operator through the back of the website. It can be set to reread the server each time.
11, don't link important content online. Some search engine robots will have an important page into the engine, which is equal to the door to visitors around the world. But now some engine is like a hacker program, "stealing" information from the server, so that it does not fight, thereby also prevented companies from being searched by companies from providing such services.
