Partager via


Active Server Pages Security (Windows Embedded CE 6.0)

1/6/2010

ASP has potential security risks because it supports the transfer of data over network.

Security Best Practices

Ee499830.collapse(en-US,WinEmbedded.60).gifNever trust user input to be of an appropriate size or contain appropriate characters

Always verify user input before using it to make decisions. The best option is to create a COM component, which you can call from an ASP page to verify user input.

Ee499830.collapse(en-US,WinEmbedded.60).gifDo not create database connection strings in an ASP page by concatenating strings of user input together

A malicious attacker can inject code into their input to gain access to your database. If you are using a SQL database, use stored procedures for creating database connection strings.

Ee499830.collapse(en-US,WinEmbedded.60).gifDo not use the default SQL administrator account name, sa

Everyone who uses SQL knows that the sa account exists. Create a different SQL administrative account with a strong password and delete the sa account.

Ee499830.collapse(en-US,WinEmbedded.60).gifUse caution when handling user passwords and administrative account names and passwords

Before you store client user passwords, try to hash, encrypt, or obfuscate them in some way. Do not put administrative account names or passwords in administration scripts or ASP pages.

Ee499830.collapse(en-US,WinEmbedded.60).gifBe cautious when using data from request headers

Because header data can be fabricated by a malicious user, do not make decisions in your code based on request headers. Before using request data, always validate the source.

Ee499830.collapse(en-US,WinEmbedded.60).gifBe cautious when using cookies or hidden input fields

Do not store secure data in cookies or hidden input fields in your Web pages.

Ee499830.collapse(en-US,WinEmbedded.60).gifUse SSL to protect sensitive data to prevent hackers from eavesdropping on your network connections

SSL allows Web servers and Web clients to communicate through the use of encryption. When SSL is not used, data sent between the client and server is open to packet sniffing by anyone with physical access to the network. For more information, see Configuring a Web Server to use SSL.

Ee499830.collapse(en-US,WinEmbedded.60).gifUse caution when writing ISAPI applications, filters, and COM objects

When writing ISAPI applications, filters, or COM objects, watch for buffer over-runs caused by assuming sizes of variables and data. Also, watch for canonicalization issues that can be caused by interpreting data like absolute path names or URLs as relative path names or URLs.

See Also

Other Resources

Active Server Pages