1. User name and password are cracked
Attack principle: User name and password, often is the most interesting thing hackers, if they are seen in some way, the consequences are serious.
Preventive skills: The program involving user names and passwords is best packaged on the server, try to appear less in the ASP file, involving the user name and password to the database connection to the password. Permissions should be minimized. A username with a number of times and passwords can be written in a location comparison. If it involves connecting to a database connection, just give it to the permissions of the stored procedure in the ideal state, do not directly give the user to modify, insert, and delete records.
2, verification is bypassed
Attack principle: It is now necessary to verify the ASP program to add a judgment statement on the page header, but it is not enough, it is possible to pass the verification directly by hackers.
Preventive Tips: You need to verify the ASP page to track the file name of the previous page, and only the session that is converted from the previous page can read this page.
3, INC file leak problem
Principle: When the home page with ASP is being created and not performing the final debug completion, it can be added as search objects by some search engine mobile phone. If someone uses the search engine to find these pages, you will get the location of the file and you can check the details of the database location and structure in the browser, and reveal the complete source code.
Preventive skills: Programmers should completely debug it before publishing it; security experts need to reinforce ASP files so that users can see them. First, encrypt the contents of the .inc file, secondly, you can use the .asp file instead. INC file allows the user to directly view the source code of the file directly from the browser. The file name of the Inc file does not use the system default or have a special meaning by the user to guess the name, try to use a ruled English letter.
4, automatic backup is downloaded
Attack Principle: In some of some editing ASP programs, the editor automatically creates a backup file when creating or modifying an ASP file, such as UltraEdit, back up a .bak file, such as you create or modify some.asp. The editor will automatically generate a Some.asp.bak file, if you don't delete this Bak file, the attacker can download some.asp.bak files directly, so the source of Some.asp will be downloaded.
Preventive skills: Take carefully before the upload process, delete unnecessary documents. It is especially careful to files with BAK suffixes.
5, special characters
Attack Principle: The input box is a target of hackers, they can cause damage to the user client by entering scripting languages; if the input box involves data queries, they use special query statements to get more database data, even tables All. Therefore, the input box must be filtered. However, if the efficiency is only entered on the client, it is still possible to bypass.
Preventive skill: In the ASP program that deals similar to message board, BBS, etc., it is best to block the HTML, JavaScript, VBScript statement, if there is no special requirements, can be limited to allowing only letters and numbers, shielding special characters. At the same time, the length of the input character is limited. And it is necessary to enter a legitimacy check on the client, but also to perform a similar inspection in the server-side program.
6, database download vulnerability
Attack Principle: When you use Access to make a background database, if someone knows or guesses the path of the server's Access database and the database name, then he can download this Access database file, which is very dangerous.
Preventive skills:
(1) Get a complex unconventional name for your database file name and put it in several layers. The so-called "unconventional", for example, if there is a database of information about books, don't give it a "book.mdb" name, and you have a weird name, such as D34KSFSLF. MDB and put it in several layers of ./kdslf/i44/studi/, such a hacker wants to get your Access database file by guessing. (2) Do not write the database name in the program. Some people like to write DSN in the program, such as:
Dbpath = server.mappath ("cmddb.mdb")
Conn.open "Driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath
If you gave people the source program, your name of your Access database is unlikely. So I suggest you set the data source in the ODBC, then write this in the program:
Conn.open "shujiyuan"
(3) Use Access to encode and encrypt the database file. First select the database (such as: EMPLOYER.MDB) in Tool → Security → Encryption / Decrypting Database, then press OK, then "Database Caused Save Save Save" window can be displayed as: "Employer1.mdb".
It should be noted that the above action is not to set a password for the database, but only to the database file, the purpose is to prevent others from using other tools to view the contents of the database file.
Next, we will encrypt the database, first open the encoded Employer1.mdb, when open, select "exclusive" mode. Then select the "Tools → Security → Set Database Password" of the menu, then enter the password. This is even if someone gets an Employer1.mdb file, there is no password, he can't see the content in Employer1.mdb.
