How to better prevent hacker attacks, I would like to give my personal opinion! First, free programs should not be used for free. Since you can share the original code, attackers can also analyze the code. If you pay attention to the details, the security of your site will be greatly improved. Even if a vulnerability such as SQL Injection occurs, it is impossible for an attacker to take down your site immediately.
Due to the convenience and ease of use of ASP, more and more website background programs use ASP scripting language. However, because ASP itself has some security vulnerabilities, hackers may take advantage of it if they are not careful. In fact, security is not only a matter for network administrators, programmers must also pay attention to certain security details and develop good security habits, otherwise it will bring huge security risks to their websites. At present, most ASP programs on websites have security holes of one kind or another, but if you pay attention when writing programs, they can still be avoided.
1. The username and password are cracked
Attack principle: Usernames and passwords are often what hackers are most interested in. If the source code is seen in some way, the consequences will be serious.
Prevention skills: Programs involving user names and passwords are best encapsulated on the server side and appear as little as possible in ASP files. User names and passwords involving database connections should be given the minimum permissions. Usernames and passwords that appear frequently can be written in a hidden include file. If it involves connecting to the database, ideally only give it the permission to execute stored procedures. Never directly give the user the permission to modify, insert, or delete records.
2. Verification bypassed
Attack principle: Most of the ASP programs that need to be verified now add a judgment statement to the header of the page, but this is not enough. It is possible for hackers to bypass verification and enter directly.
Prevention skills: ASP pages that need to be verified can track the file name of the previous page. Only sessions transferred from the previous page can read this page.
3. Inc file leak problem
Principle of the attack: When a home page with ASP is being created and has not been debugged, it can be automatically added as a search object by some search engines. If someone uses a search engine to search for these web pages at this time, they will get the location of the relevant files, and can view the details of the database location and structure in the browser, thereby revealing the complete source code.
Prevention tips: Programmers should thoroughly debug web pages before publishing them; security experts need to harden ASP files so that external users cannot see them. First, encrypt the content of the .inc file. Secondly, you can also use the .asp file instead of the .inc file so that users cannot directly view the source code of the file from the browser. The file name of the inc file should not use the system default or a name with special meaning that is easy for users to guess. Try to use irregular English letters.
4. Automatic backup is downloaded
Attack principle: In some tools for editing ASP programs, when creating or modifying an ASP file, the editor automatically creates a backup file. For example, UltraEdit will back up a .bak file. If you create or modify some.asp, The editor will automatically generate a file called some.asp.bak. If you do not delete this bak file, the attacker can directly download the some.asp.bak file, so that the source program of some.asp will be downloaded.
Prevention tips: Check your program carefully before uploading it and delete unnecessary documents. Be especially careful with files with the BAK suffix.
5. Special characters
Attack principle: The input box is a target used by hackers. They can cause damage to the user client by inputting script language; if the input box involves data query, they will use special query statements to obtain more database data and even tables. of all. Therefore, the input box must be filtered. However, if the input validity check is only performed on the client in order to improve efficiency, it may still be bypassed.
Prevention skills: In ASP programs that handle input boxes such as message boards and BBS, it is best to block HTML, JavaScript, and VBScript statements. If there are no special requirements, you can limit the input of letters and numbers to only letters and numbers, and block special characters. At the same time, the length of input characters is limited. And not only the input validity check must be performed on the client side, but similar checks must be performed on the server side program.
6. Database download vulnerability
Principle of attack: When using access as a backend database, if someone knows or guesses the path and database name of the server's Access database through various methods, then he can also download the Access database file, which is very dangerous.
Prevention tips:
(1) Give your database file a complex and unconventional name, and place it in several directories. The so-called unconventional, for example, if there is a database that wants to save information about books, don't give it a name of book.mdb, but give it a weird name, such as d34ksfslf.mdb, and put It is placed in several directories such as ./kdslf/i44/studi/, which makes it even more difficult for hackers to get your Access database file by guessing.
(2) Do not write the database name in the program. Some people like to write DSN in the program, such as:
DBPath = Server.MapPath(cmddb.mdb)
conn.Open driver={Microsoft Access Driver (*.mdb)}; dbq= & DBPath
If someone gets the source program, the name of your Access database will be visible at a glance. Therefore, it is recommended that you set the data source in ODBC and then write this in the program:
conn.openshujiyuan
(3) Use Access to encode and encrypt database files. First, select the database (such as: employee.mdb) in Tools → Security → Encrypt/Decrypt Database, and then click OK. Then a window will appear to save the database after encryption. You can save it as: employee1.mdb.
It should be noted that the above action does not set a password for the database, but only encodes the database file. The purpose is to prevent others from using other tools to view the contents of the database file.
Next, we encrypt the database. First, open the encoded employee1.mdb. When opening, select the exclusive mode. Then select Tools → Security → Set Database Password from the menu, and then enter the password. In this way, even if someone else gets the employee1.mdb file, they will not be able to see the contents of employee1.mdb without the password.
7. Prevent remote injection attacks
This type of attack should have been a relatively common attack method in the past, such as POST attacks. The attacker can change the data value to be submitted at will to achieve the purpose of the attack. Another example is: the forgery of COOKIES, which is more worthy of causing programmer or website Long note, do not use COOKIES as a method of user authentication, otherwise you are the same as leaving the key to a thief.
for example:
If trim(Request. cookies (uname))=fqy and Request.cookies(upwd) =fqy#e3i5.com then
……..more…………
End if
I think all webmasters or friends who like to write programs must not make this kind of mistake. It is really unforgivable. We have been forging COOKIES for many years. If you still use it, you can’t blame others for stealing your password. It involves users. For passwords or user login, you'd better use session, which is the most secure. If you want to use COOKIES, add one more piece of information to your COOKIES, SessionID. Its random value is 64 bits. You have to guess it. Possible. Example:
if not (rs.BOF or rs.eof) then
login=true
Session(username&sessionID) = Username
Session(passWord& sessionID) = Password
'Response.cookies(username)= Username
'Response.cookies(Password)= Password
Let's talk about how to prevent remote injection attacks. A common attack is to drag the single form submission file to the local and point the Form ACTION=chk.asp to the file that processes the data in your server. If all your data filtering is On a single table page, congratulations, you will have been attacked by the script.
How can we stop such a remote attack? It’s easy to do. Please see the code as follows: Program body (9)
<%
server_v1=Cstr(Request.ServerVariables(HTTP_REFERER))
server_v2=Cstr(Request.ServerVariables(SERVER_NAME))
if mid(server_v1,8,len(server_v2))<>server_v2 then
response.write <br><br><center>
response.write
response.write The path you submitted is wrong. It is forbidden to submit data from outside the site. Please do not change the parameters randomly!
response.write
response.end
end if
%>
'Personally, I feel that the above code filtering is not very good. Some external submissions can still come in openly, so I wrote another one.
'This has a very good filtering effect and is recommended to be used.
if instr(request.servervariables(http_referer),http://&request.servervariables(host) )<1 then response.write An error occurred on the server while processing the URL.
If you are using any means to attack the server, you should be lucky that all your operations have been recorded by the server. We will notify the Public Security Bureau and the National Security Department as soon as possible to investigate your IP.
response.end
end if
Program body(9)
I thought everything would be fine this way, so I added some restrictions on the table page, such as maxlength, etc... But God is so unkind, the more you are afraid of something, the more he will do it. Don't forget, attackers can break through SQL injection Limitation on input box length during attack. Write a SOCKET program to change HTTP_REFERER? I won't. An article like this was published online:
----------len.reg-----------------
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USERSoftware&MicrosoftInternet ExplorerMenuExt extension]
@=C:Documents and SettingsAdministratorDesktoplen.htm
contexts=dword:00000004
----------end---------------------
----------len.htm------------------
----------end----------------------
Usage: First import len.reg into the registry (note the file path)
Then copy len.htm to the specified location in the registry.
Open the web page, place the cursor on the input box whose length you want to change, and right-click. You may have seen an option called extension.
Click to do it! Postscript: The same can be done with scripts that restrict input content.
what to do? Our limitations were spared and all our efforts wasted? No, hold up your keyboard and say no. Let's go back to the filtering of script characters. The injection they perform is nothing more than script attacks. Let's put all our energy into the pages after ACTION. In the chk.asp page, we filter out all illegal characters. What's the result? We only gave a false shot in front of us and asked them to change the registry. Only when they finish the changes will they realize that what they have done is in vain.
8. ASP Trojan
Having said this, I would like to remind all forum webmasters to be careful when uploading files: Why is the host also occupied by attackers after the forum program is breached? The reason is...right! ASP Trojan! An absolute abomination. Virus? No. Just put this file into the program of your forum and you can always look for it. It would be strange not to vomit blood. How can we prevent ASP Trojans from being uploaded to the server? The method is very simple. If your forum supports file upload, please set the file format you want to upload. I do not agree with the use of changeable file formats. Lock them directly from the program. Only image file formats and compressed files are complete. Yes, leaving more convenience for yourself will also leave more convenience for attackers. How to determine the format? I have collected one here and modified one. You can take a look:
Program body (10)
'Determine whether the file type is qualified
PRivate Function CheckFileExt (fileEXT)
dim Forumupload
Forumupload=gif,jpg,bmp,jpeg
Forumupload=split(Forumupload,,)
for i=0 to ubound(Forumupload)
if lcase(fileEXT)=lcase(trim(Forumupload(i))) then
CheckFileExt=true
exit Function
else
CheckFileExt=false
end if
next
End Function
'Verify the legality of the file content
set MyFile = server.CreateObject (Scripting.FileSystemObject)
set MyText = MyFile.OpenTextFile (sFile, 1) 'Read text file
sTextAll = lcase(MyText.ReadAll): MyText.close
'Determine dangerous operations in user files
sStr =8 .getfolder .createfolder .deletefolder .createdirectory
.deletedirectory
sStr = sStr & .saveas wscript.shell script.encode
sNoString = split(sStr, )
for i = 1 to sNoString(0)
if instr(sTextAll, sNoString(i)) <> 0 then
sFile = Upl.Path & sFileSave: fs.DeleteFile sFile
Response.write <center><br><big>& sFileSave &The file contains commands related to operating directories, etc.&_
<br><font color=red>& mid(sNoString(i),2) &</font>, for security reasons, <b> cannot be uploaded. <b>&_</big></center></html>
Response.end
end if
next
Add them to your upload program for verification, and the security of your upload program will be greatly improved.
What? Are you still worried? Come up with your trump card and ask your web hosting service provider to help. Log in to the server and rename or delete the shell.application and shell.application.1 items in the PROG ID. Then rename or delete both the WSCRIPT.SHELL item and WSCRIPT.SHELL.1. Haha, I can boldly say that probably more than half of the virtual hosts in China have not changed. I can only be glad that your users are very cooperative, otherwise... I will delete, I will delete, I will delete, delete, delete...