Security hazards and countermeasures of ASP Access 2001-8-18 Move networks with the development of the Internet, the Web technology has different new months. After the general gateway interface (CGI), "ACTIVE SERVER PAGES) is used as a typical server-side web design technology, which is widely used in various Internet applications such as online banking, e-commerce, search engines. At the same time, the Access database serves as a desktop database system that Microsoft's launched a standard JET as the engine, has a large user group due to the characteristics of simple operation, friendly interface. Therefore, ASP Access has become the preferred solution for many small and medium-sized online application systems. However, the ASP Access solution has brought us convenience, but also the security issues that cannot be ignored. ASP Access's security hazard ASP Access solution is the main security hazard from Access database security, followed by security vulnerabilities in the ASP web design. 1. Access database storage hidden dangers In the ASP Access application, if you get or guess the storage path of the Access database and the database name, the database can be downloaded to the local. For example: For the Access database of the online bookstore, people are generally named book.mdb, store.mdb, etc., and the stored path is generally "URL / Database" or dry crisp is put under the root directory ("URL /"). In this way, just type the address in the browser address bar: "URL / DATABASE / STORE.MDB", you can easily download the Store.mdb to the local machine. The decryption of Access database is very simple because the encryption mechanism of the Access database is very simple, so even if the database is set, it is easy to decrypt. The database system forms an encrypted string by dividing the user input password with a certain fixed key, and stores it in the address "& H42" in the * .mdb file. Since the different or operation is characterized by "two different or restore the original value", the ACCESS database can be easily obtained with this key with the encrypted string in the * .mdb file. Password. Based on this principle, the decryption program can be easily prepared. It can be seen that if the database password is set, it is not possible if the database is downloaded. 3. Safety risks of source code significantly reduce the security of program source code due to non-compiletable languages in ASP programs. Anyone can get the source code as long as you enter the site, resulting in the disclosure of the ASP application source code. 4. Security risks ASP code in programming, using form (FORM) to implement functionality with users, and the corresponding content will be reflected in the browser's address bar, if appropriate security measures are not used, just write down these content, You can get rid of a page around the verification. For example, in the browser, "... Page.asp® X = 1" is knocked, you can directly enter the page that satisfies the "X = 1" condition without the form page. Therefore, when designing verification or registration pages, special measures must be taken to avoid such problems. Improve the security of the database Since the Access database encryption mechanism is too simple, how to effectively prevent the Access database from being downloaded, it has become the top priority of the ASP Access Solution Security. 1. Unconventional Nometry Preventing the database from finding a complicated unconventional name for the Access database file and stores it in multi-level directory.
For example, for database files on the online bookstore, don't simply name "BOOK.MDB" or "Store.mdb", but a unconventional name, such as FAQ19JHSVZBAL.MDB, then put it like ./ Akkjj16t / kJHGB661 / ACD / AVCCX55 is in deep catalogs. In this way, the illegal access method of the Access database file name is obtained for some ways to obtain the ACCESS database file name. 2. Using the ODBC Data Source In the ASP program design, try to use the ODBC data source as much as possible, do not write the database name directly in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code. For example: dbpath = server.mappath ("./ akkj16t / kJHGB661 / ACD / AVCCX55 / FAQ19JHSVZBAL.MDB") Conn.open "driver = {Microsoft Access Driver (* .mdb)}; dbq =" & dbpath is visible, even if the database The name is weird, the hidden directory is deep, and the database is also easily downloaded after the ASP source code is lost. If you use an ODBC data source, there is no problem: Conn.open "ODBC-DSN Name" encrypts the ASP page to effectively prevent ASP source code leaks, encrypts the ASP page. There are generally two ways to encrypt the ASP page. One is to use component technology to encapsulate programming logic into the DLL; the other is to encrypt the ASP page using Microsoft Script Encoder. The author believes that the main problem exists in the use of component technology is that each code needs to be a component, and the operation is more cumbersome and the workload is large; and the Script Encod is encrypted with the ASP page, the operation is simple, and good effect is good. The Script Encoder method has many advantages: 1.HTML still has good editable. Script Encoder only encrypts the ASP code embedded in the HTML page, which makes it remained unchanged, which makes us still use the common web editing tools such as FrontPage or Dreamweaver to modify the HTML section, but cannot be performed on the ASP encryption part. Modify, otherwise it will cause file failure. 2. Simple operation. Just master a few command line parameters. Script Encoder running program is Screnc.exe, which is as follows: Screnc [/ s] [/ f] [/ xl] [/ l deflanguage] [/ e defextension] InputFile OutputFile The parameters are as follows: S: Shield screen Output; f: Specifies whether the output file overwrites the same name input file; XL: Do you add a @language instruction at the top of the .asp file; l: deflanguag Specifies the default scripting language; E: Defextension specifies the extension of the file to be encrypted. 3. Encrypted files in batches. Using Script Encoder can encrypt all ASP files in the current directory and output encrypted files to the appropriate directory. For example: screnc * .asp C: / Temp 4. Script Encoder is a free software. The encryption software can download from Microsoft website: http://msdn.microsoft.com/scripting/vbscript/download/x86/sce10en.exe. After download, run the installation.
Using the session object to verify verification to prevent unregistered users from bypassing the registration interface directly into the application, the session object can be registered. The biggest advantage of the session object is that the information of the user can keep the user's information and let the subsequent web page read. For example, you want to design the registration page shown in Figure 1. Figure 1 Registration page design requires the system to start the HRMIS.ASP® Page = 1 after the user registers successfully. If you do not register authentication with the session object, the user will bypass the registration interface in the browser to bypass, and enter the system directly. The use of Session objects can effectively prevent the occurrence of this. The related program code is as follows: <% 'Read the user input account and password UserId = request ("password") Password = request ("password")' Check if UserID and Password are correct (actual program may be more complicated) IF userid <> "Hrmis" or password <> "Password" Ten Response.write "account error!" "Response.end end if" Set the session object to pass the verification status session ("passed") = true%> After entering the application, First verification: <% 'If not passed verification, return Login Status if not session ("passed") Then Response.Redirect "Login.asp" End IF%> I also said my experience. (Maybe it, But please don't use the egg, thank you.) Use the ODBC data source to be more troublesome, change the machine to reset it. It is better to put the MDB file in a non-IIS directory, such as: c: / This cannot be downloaded, Hoho ~
The MDB file encrypting code is basically useless. You can download it to the network to crack the Accsee database password. In fact, our database is not all the data must be confidential. For example, such as a forum database, need Confidential content is actually only some of the user's information (such as: password, identity code, etc.) and "SMS" in the user, other, such as the user's name, some public posts sent by the user do not need to be confidential Therefore, we can use some encryption algorithms to encrypt data that needs to be confidential (eg using the SHA1 algorithm to encrypt the database password), even if the database file is obtained by others, he also needs to know the way to get the desired information. .
About "Typing" URL / HRMIS.ASP? Page = 1 "can bypass the registration interface, directly enter the system." In fact, the corresponding method does not only use session (personal comparison does not like to use session, because many books say to use the session Take up a lot of system resources), we can use the cookie mechanism to achieve the method of using the session implementation in a similar article, or we can use the judgment request.servervariable in the URL / Hrmis.asp page, where the value is What is it to determine which page is submitted from the content.