How better achieve be on guard hacker attack, oneself raise individual opinion! The first, free program does not dismiss charge really, since you can share former code, code can be analysed like aggressor so. If notice to be on guard on detail, in that way the security of your site greatly rose. Although go out,showed SQL Injection such flaw, aggressor takes next your sites impossibly also immediately. Because the convenience of ASP is used easily, more and more website tiring-room programs use ASP script language. But, because ASP itself is put in a few safe flaw, do not take care to be able to offer an opportunity that can be exploited to sbs advantage to the hacker a bit. In fact, safety is the job that the net provides not only, process designing personnel also must notice on certain and safe detail, the safety with good nurturance is used to, the website that meets oneself otherwise brings tremendous safe hidden trouble. Current, the ASP program on most website has such and such safe flaw, but if write a program when notice the word of a bit, still can avoid.

1, user name and countersign are defeated to solve

Attack principle: User name and countersign, often be the thing that hackers are interested in most, if be passed,some kind of means sees source code, consequence is serious.

Be on guard skill: The program that involves user name and countersign had better be enclosed in server end, it is little as far as possible in ASP file appear, involve should give the least limits of authority with name of database connective user and countersign. The user name with occurrence much time and countersign can write in a position to concealment quite in including a file. If involve,join with the database, give it to store in order to carry out only below good position the attributive of the process, must not give this user to revise directly, insert, the attributive that deletes a record.

2, test and verify is bypassed

Attack principle: The ASP order that needs to pass test and verify now is mostly sentence of a judgement is imposed in page head, but this is insufficient still, be bypassed by the hacker test and verify is entered directly likely.

Be on guard skill: Need passes the ASP page of test and verify, can dog the file name of a page, turn from on one page only the conversational ability that come in is read take this page.

3, Inc file reveals a problem

Attack principle: Making when the homepage of existence ASP and did not undertake be debugginged finally finishing previously, can be increased to be search object by motor-driven of certain search engine. If at that time somebody uses search engine to undertake searching to these webpages, can obtain the fixed position of relevant document, can examine the detail of database place and structure in the browser, announce with this whole source code.

Be on guard skill: Programmer should undertake be debugginged thoroughly to it before the webpage is released; Safe expert needs consolidate ASP so that the file is external the user cannot see them. Undertake adding to.inc file content above all close, also can use.asp file to replace.inc file to make the user cannot watch the source code of the file directly from the browser next. The file name of Inc file does not use what the system acquiesces to perhaps have the name that special meaning is guessed easily by the user, use ruleless English letter as far as possible.
Previous12 Next