关于ASP语言的漏洞有关问题~答者有分哦!
日期:2014-05-17 浏览次数:20898 次
关于ASP语言的漏洞问题~答者有分哦!!!!
各位兄弟~有一些问题想问一下
我们公司想做一个类似于“淘宝”的交易类网站,使用ASP语言,我就想问一下如果做ASP的话那么需要注意哪些漏洞风险问题呢?
以下是我个人知道的一点漏洞:
1。防止外部提交
这是防止外部提交的代码
'检测外部提交
ht=Request.ServerVariables( "HTTP_REFERER ")
hs=Request.ServerVariables( "SERVER_NAME ")
if mid(ht,8,len(hs)) <> hs then
response.write " <script> alert( '请不要试图以不和法的URL参数访问! ');location.href= 'http:// "&Request.ServerVariables( "SERVER_NAME ")& " '; </script> "
response.end
end if
2。防止URL注入
检测是否带有注入的参数
function filt(stri)
dim i
ale= Instr(stri, " ' ")
i=i+ale
ale= Instr(stri, " < ")
i=i+ale
ale= Instr(stri, "> ")
i=i+ale
ale= Instr(stri, " " " ")
i=i+ale
ale= Instr(stri, "’ ")
i=i+ale
ale= Instr(stri, "‘ ")
i=i+ale
ale= Instr(stri, "“ ")
i=i+ale
ale= Instr(stri, "” ")
i=i+ale
ale= Instr(stri, "$ ")
i=i+ale
ale= Instr(stri, "% ")
i=i+ale
ale= Instr(stri, "& ")
i=i+ale
ale= Instr(stri, "# ")
i=i+ale
ale= Instr(stri, "~ ")
i=i+ale
ale= Instr(stri, "` ")
i=i+ale
ale= Instr(stri, "* ")
i=i+ale
ale= Instr(stri, "( ")
i=i+ale
ale= Instr(stri, ") ")
i=i+ale
ale= Instr(stri, "+ ")
i=i+ale
ale= Instr(stri, "= ")
i=i+ale
ale= Instr(stri, "^ ")
i=i+ale
ale= Instr(stri, "! ")
i=i+ale
ale= Instr(stri, ", ")
i=i+ale
ale= Instr(stri, "{ ")
i=i+ale
ale= Instr(stri, "} ")
i=i+ale
ale= Instr(stri, "] ")
i=i+ale
ale= Instr(stri, "[ ")
i=i+ale
ale= Instr(stri, "and ")
i=i+ale
ale= Instr(stri, "insert ")
i=i+ale
ale= Instr(stri, "or ")
i=i+ale
ale= Instr(stri, "not ")
i=i+ale
ale= Instr(stri, "like ")
i=i+ale
ale= Instr(stri, "update ")
i=i+ale
ale= Instr(stri, "del ")
i=i+ale
ale= Instr(stri, "add ")
i=i+ale
ale= Instr(stri, "exec ")
i=i+ale
ale= Instr(stri, "asc ")
i=i+ale
ale= Instr(stri, "object ")
i=i+ale
ale= Instr(stri, "join ")
i=i+ale
ale= Instr(stri, "where ")
i=i+ale
ale= Instr(stri, "delete ")
i=i+ale
ale= Instr(stri, "count ")
i=i+ale
ale= Instr(stri, "char ")
i=i+ale
ale= Instr(stri, "int ")
i=i+ale
ale= Instr(stri, "exists ")
i=i+ale
ale= Instr(stri, "if ")
各位兄弟~有一些问题想问一下
我们公司想做一个类似于“淘宝”的交易类网站,使用ASP语言,我就想问一下如果做ASP的话那么需要注意哪些漏洞风险问题呢?
以下是我个人知道的一点漏洞:
1。防止外部提交
这是防止外部提交的代码
'检测外部提交
ht=Request.ServerVariables( "HTTP_REFERER ")
hs=Request.ServerVariables( "SERVER_NAME ")
if mid(ht,8,len(hs)) <> hs then
response.write " <script> alert( '请不要试图以不和法的URL参数访问! ');location.href= 'http:// "&Request.ServerVariables( "SERVER_NAME ")& " '; </script> "
response.end
end if
2。防止URL注入
检测是否带有注入的参数
function filt(stri)
dim i
ale= Instr(stri, " ' ")
i=i+ale
ale= Instr(stri, " < ")
i=i+ale
ale= Instr(stri, "> ")
i=i+ale
ale= Instr(stri, " " " ")
i=i+ale
ale= Instr(stri, "’ ")
i=i+ale
ale= Instr(stri, "‘ ")
i=i+ale
ale= Instr(stri, "“ ")
i=i+ale
ale= Instr(stri, "” ")
i=i+ale
ale= Instr(stri, "$ ")
i=i+ale
ale= Instr(stri, "% ")
i=i+ale
ale= Instr(stri, "& ")
i=i+ale
ale= Instr(stri, "# ")
i=i+ale
ale= Instr(stri, "~ ")
i=i+ale
ale= Instr(stri, "` ")
i=i+ale
ale= Instr(stri, "* ")
i=i+ale
ale= Instr(stri, "( ")
i=i+ale
ale= Instr(stri, ") ")
i=i+ale
ale= Instr(stri, "+ ")
i=i+ale
ale= Instr(stri, "= ")
i=i+ale
ale= Instr(stri, "^ ")
i=i+ale
ale= Instr(stri, "! ")
i=i+ale
ale= Instr(stri, ", ")
i=i+ale
ale= Instr(stri, "{ ")
i=i+ale
ale= Instr(stri, "} ")
i=i+ale
ale= Instr(stri, "] ")
i=i+ale
ale= Instr(stri, "[ ")
i=i+ale
ale= Instr(stri, "and ")
i=i+ale
ale= Instr(stri, "insert ")
i=i+ale
ale= Instr(stri, "or ")
i=i+ale
ale= Instr(stri, "not ")
i=i+ale
ale= Instr(stri, "like ")
i=i+ale
ale= Instr(stri, "update ")
i=i+ale
ale= Instr(stri, "del ")
i=i+ale
ale= Instr(stri, "add ")
i=i+ale
ale= Instr(stri, "exec ")
i=i+ale
ale= Instr(stri, "asc ")
i=i+ale
ale= Instr(stri, "object ")
i=i+ale
ale= Instr(stri, "join ")
i=i+ale
ale= Instr(stri, "where ")
i=i+ale
ale= Instr(stri, "delete ")
i=i+ale
ale= Instr(stri, "count ")
i=i+ale
ale= Instr(stri, "char ")
i=i+ale
ale= Instr(stri, "int ")
i=i+ale
ale= Instr(stri, "exists ")
i=i+ale
ale= Instr(stri, "if ")
免责声明: 本文仅代表作者个人观点,与爱易网无关。其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
