How to better prevent hacker attacks, I would like to give my personal opinion! First, free programs should not be used for free. Since you can share the original code, attackers can also analyze the code. If you pay attention to the details, the security of your site will be greatly improved. Even if a vulnerability such as SQL Injection occurs, it is impossible for an attacker to take down your site immediately.
Due to the convenience and ease of use of ASP, more and more website background programs use ASP scripting language. However, because ASP itself has some security vulnerabilities, hackers may take advantage of it if they are not careful. In fact, security is not only a matter for network administrators, programmers must also pay attention to certain security details and develop good security habits, otherwise it will bring huge security risks to their websites. At present, most ASP programs on websites have security holes of one kind or another, but if you pay attention when writing programs, they can still be avoided.
1. Username and password are cracked.
Attack principle: Username and password are often what hackers are most interested in. If the source code is seen in some way, the consequences will be serious.
Prevention skills: Programs involving user names and passwords are best encapsulated on the server side and appear as little as possible in ASP files. User names and passwords involving database connections should be given the minimum permissions. Usernames and passwords that appear frequently can be written in a hidden include file. If it involves connecting to the database, ideally only give it the permission to execute stored procedures. Never directly give the user permission to modify, insert, or delete records.
2. Verification bypassed
attack principle: Most of the ASP programs that need to be verified now add a judgment statement to the header of the page, but this is not enough. It is possible for hackers to bypass verification and enter directly.
Prevention skills: ASP pages that need to be verified can track the file name of the previous page. Only sessions transferred from the previous page can read this page.
3. Inc file leak problem
Attack principle: When the homepage with ASP is being produced and has not been finalized before debugging, it can be automatically added as a search object by some search engines. If someone uses a search engine to search for these web pages at this time, they will get the location of the relevant files, and can view the details of the database location and structure in the browser, thereby revealing the complete source code.
Prevention tips: Programmers should thoroughly debug web pages before publishing them; security experts need to harden ASP files so that outside users cannot see them. First, encrypt the content of the .inc file. Secondly, you can also use the .asp file instead of the .inc file so that users cannot directly view the source code of the file from the browser. The file name of the inc file should not use the system default or a name with special meaning that is easy for users to guess. Try to use irregular English letters.
4. Automatic backup download
attack principle: In some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example, UltraEdit will back up a .bak file. If you create or modify After modifying some.asp, the editor will automatically generate a file called some.asp.bak. If you do not delete this bak file, the attacker can directly download the some.asp.bak file, so that the source program of some.asp will be download.
Prevention tips: Check your program carefully before uploading it and delete unnecessary documents. Be especially careful with files with the BAK suffix.
5.
Principle of special character attack: The input box is a target for hackers. They can cause damage to the user client by inputting script language; if the input box involves data query, they will use special query statements to obtain more databases data, or even the entire table. Therefore, the input box must be filtered. However, if the input validity check is only performed on the client in order to improve efficiency, it may still be bypassed.
Prevention skills: In ASP programs that handle input boxes such as message boards and BBS, it is best to block HTML, JavaScript, and VBScript statements. If there are no special requirements, you can limit the input of letters and numbers to only letters and numbers, and block special characters. At the same time, the length of input characters is limited. And not only the input validity check must be performed on the client side, but similar checks must be performed on the server side program.
6.
Principle of database download vulnerability attack: When using Access as a backend database, if someone knows or guesses the path and database name of the server's Access database through various methods, then he can also download the Access database file, which is very dangerous. of.
Prevention tips:
(1) Give your database file a complex and unconventional name, and place it in several directories. The so-called "unconventional", for example, if there is a database that wants to save information about books, don't give it a name of "book.mdb", but give it a weird name, such as d34ksfslf. mdb, and put it in several directories such as ./kdslf/i44/studi/, so that it will be even more difficult for hackers to get your Access database file by guessing.
(2) Do not write the database name in the program. Some people like to write DSN in the program, for example:
DBPath = Server.MapPath("cmddb.mdb")
conn.Open "driver={Microsoft Access Driver (*.mdb)};dbq=" & DBPath
If someone gets the source program, the name of your Access database will be visible at a glance. Therefore, it is recommended that you set the data source in ODBC, and then write this in the program:
conn.open "shujiyuan"
(3) Use Access to encode and encrypt the database file. First, select the database (such as: employee.mdb) in "Tools → Security → Encrypt/Decrypt Database", and then click OK. Then the "Database Encrypted Save As" window will appear. You can save it as: "employer1.mdb".
It should be noted that the above action does not set a password for the database, but only encodes the database file. The purpose is to prevent others from using other tools to view the contents of the database file.
Next, we encrypt the database. First, open the encoded employee1.mdb. When opening, select the "exclusive" mode. Then select "Tools → Security → Set Database Password" from the menu, and then enter the password. In this way, even if someone else gets the employee1.mdb file, they will not be able to see the contents of employee1.mdb without the password.
7. Prevent remote injection attacks.
This kind of attack should be a relatively common attack method in the past, such as POST attack. The attacker can change the data value to be submitted at will to achieve the purpose of the attack. Another example: COOKIES forgery, which is more worthwhile. This draws the attention of programmer or webmaster. Do not use COOKIES as a method of user authentication. Otherwise, you are leaving the key to a thief.
For example:
If trim(Request. cookies ("uname"))=" fqy" and Request.cookies("upwd") ="fqy#e3i5.com" then
……..more…………
End if
I think all webmasters or friends who like to write programs must not make this kind of mistake. It is really unforgivable. We have been forging COOKIES for many years. If you still use it, you can't blame others for stealing your password. It involves When it comes to user passwords or user login, you'd better use session, which is the most secure. If you want to use COOKIES, add one more piece of information to your COOKIES, SessionID. Its random value is 64 bits. You need to guess it. , Impossible. Example:
if not (rs.BOF or rs.eof) then
login="true"
Session("username"&sessionID) = Username
Session("password"& sessionID) = Password
'Response.cookies("username")= Username
'Response.cookies("Password") = Password
Let's talk about how to prevent remote injection attacks. The general attack is to drag the single form submission file to the local and point the Form ACTION="chk.asp" to your server for processing. Data files are enough. If all your data filtering is on a single table page, then congratulations, you will have been attacked by a script.
How can you prevent such remote attacks? It is easy to handle. Please see the code as follows: Program body ( 9)
<%
server_v1=Cstr(Request.ServerVariables("HTTP_REFERER"))
server_v2=Cstr(Request.ServerVariables("SERVER_NAME"))
if mid(server_v1,8,len(server_v2))<>server_v2 then
response.write "<br><br><center>"
response.write " "
response.write "The path you submitted is wrong. Submitting data from outside the site is prohibited. Please do not change the parameters!"
response.write "
"
response.end
end if
%>
'Personally, I feel that the above code filtering is not very good. Some external submissions can still come in openly, so I wrote another one.
'This filtering effect is very good, it is recommended to use.
if instr(request.servervariables("http_referer" )," http://"&request.servervariables("host ") )<1 then response.write "An error occurred on the server when processing the URL.
If you are attacking the server by any means, then you should be lucky that all your operations It has been recorded by the server. We will notify the Public Security Bureau and National Security Department as soon as possible to investigate your IP. "
response.end
end if
The program body (9)
thought that everything would be fine with this, and added some restrictions on the form page, such as maxlength, etc... But God is so unkind, the more you are afraid of something, the more likely it will be. Don't forget, attack The author can break through the limit of the input box length during SQL injection attacks. Write a SOCKET program to change HTTP_REFERER? I won't. Such an article was published online:
------------len.reg-----------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerMenuExtExtensions]
@="C:Documents and SettingsAdministratorDesktoplen.htm"
"contexts"=dword:00000004
----------end---------------------
----------len.htm------------------
----------end----------------------
Usage: First import len.reg into the registry (note the file path)
and then Copy len.htm to the specified place in the registry.
Open the web page, place the cursor on the input box where the length is to be changed, and right-click. If you see an option called extension,
click Done! Postscript: The same can be done.
How to deal
with scripts that restrict input content
?Our limitations were spared and all our efforts wasted? No, hold up your keyboard and say no. Let's go back to the filtering of script characters. The injection they perform is nothing more than script attacks. Let's put all our energy into the pages after ACTION. In the chk.asp page, we filter out all illegal characters. What's the result? We only gave a false shot in front of us and asked them to change the registry. Only when they finish the changes will they realize that what they have done is in vain.
8.
We have talked about the ASP Trojan horse here, and I would like to remind all forum webmasters to be careful when uploading files: Why is the host also occupied by attackers after the forum program is broken? The reason is...right! ASP Trojan! An absolute abomination. Virus? No. Just put the file into the program of your forum and you can always look for it. It would be strange not to vomit blood. How can we prevent ASP Trojans from being uploaded to the server? The method is very simple. If your forum supports file upload, please set the file format you want to upload. I do not agree with the use of changeable file formats. Lock them directly from the program. Only image file formats and compressed files are complete. Yes, leaving more convenience for yourself will also leave more convenience for attackers. How to determine the format? I have collected one here and modified one. You can take a look at it:
Program body (10)
'Judge whether the file type is qualified. Private Function CheckFileExt (fileEXT)
dim Forumupload
Forumupload="gif,jpg,bmp,jpeg"
Forumupload=split(Forumupload,",")
for i=0 to ubound(Forumupload)
if lcase(fileEXT)=lcase(trim(Forumupload(i))) then
CheckFileExt=true
exit Function
else
CheckFileExt=false
end if
next
End Function
'Verify the legality of the file content
set MyFile = server.CreateObject ("Scripting.FileSystemObject")
set MyText = MyFile.OpenTextFile (sFile, 1) ' Read text file sTextAll = lcase(MyText.ReadAll): MyText.close
'Determine dangerous operations in user files sStr = "8 .getfolder .createfolder .deletefolder .createdirectory
.deletedirectory"
sStr = sStr & " .saveas wscript.shell script.encode"
sNoString = split(sStr," ")
for i = 1 to sNoString(0)
if instr(sTextAll, sNoString(i)) <> 0 then
sFile = Upl.Path & sFileSave: fs.DeleteFile sFile
Response.write "<center><br><big>"& sFileSave &"The file contains commands related to operating directories, etc."&_
"<br><font color=red>"& mid(sNoString(i),2) &"</font>, for security reasons, <b> cannot be uploaded. <b>"&_"</big></ center></html>"
Response.end
end if
NextAdd
them to your upload program for verification, then the security of your upload program will be greatly improved.
What? Are you still worried? Come up with your trump card and ask your web hosting service provider to help. Log in to the server and rename or delete the "shell.application" and "shell.application.1" items in the PROG ID. Then rename or delete both the "WSCRIPT.SHELL" item and "WSCRIPT.SHELL.1". Haha, I can boldly say that probably more than half of the virtual hosts in China have not changed. I can only be glad that your users are very cooperative, otherwise... I will delete, I will delete, I will delete, delete, delete...