您的位置:首页 > 编程语言 > ASP

.NET配置文件的10大安全漏洞

2010-03-07 11:16 337 查看
在ASP.NET应用程序在生产环境中部署时,需要检查Web.Config文件是否存在以下10个不正确的配置,可能导致安全漏洞:
 
1、Disabling custom errors      
Vulnerable:                               Secure:
<configuration>                          <configuration>
<system.web>                           <system.web>
<custom mode=”Off”>                      <customErrors mode=”RemoteOnly”>
 
2、Leaving tracing enabled
Vulnerable:                               Secure:
<configuration>                          <configuration>
<system.web>                                   <system.web>
<trace enabled=”true”                 <trace enabled=”false”
localOnly=”false”>                      localOnly=”true”>
 
3、Enabling debugging
Vulnerable:                               Secure:
<configuration>                          <configuration>
<system.web>                                   <system.web>
<compilation debug=”true”>        <compilation debug=”false”>
 
4、Making cookies accessible through client-side script
Vulnerable:                               Secure:
<configuration>                          <configuration>
<system.web>                           <system.web>
<httpCookies                              <httpCookies
httpOnlyCookies=”false”>           httpOnlyCookies=”true”>
 
5、Enabling cookieless session state
Vulnerable:                               Secure:
<configuration>                          <configuration>
<system.web>                                   <system.web>
<sessionState                              <sessionState
cookieless=”UseUri”>                 cookieless=”UseCookies”>
 
6、Enabling cookieless authentication
Vulnerable:                                      Secure:
<configuration>                                 <configuration>
<system.web>                                  <system.web>
<authentication mode=”Forms”>         <authentication mode=”Forms”>
<forms cookieless=”UseUri”>             <forms cookieless=”UseCookies”>
 
7、Failing to require SSL for authentication cookies
Vulnerable:                                      Secure:
<configuration>                                 <configuration>
<system.web>                                  <system.web>
<authentication mode=”Forms”>         <authentication mode=”Forms”>
<forms requireSSL=”false”>               <forms requireSSL=”true”>
 
8、Using sliding expiration
Vulnerable:                                      Secure:
<configuration>                                 <configuration>
<system.web>                                  <system.web>
<authentication mode=”Forms”>         <authentication mode=”Forms”>
<forms slidingExpiration=”true”>        <forms slidingExpiration=”false”>
 
9、Using non-unique authentication cookies
Vulnerable:                                      Secure:
<configuration>                                 <configuration>
<system.web>                                  <system.web>
<authentication mode=”Forms”>         <authentication mode=”Forms”>
<forms name=”.ASPXAUTH”>           <forms name=”{abcd1234…}”
 
10、Using hard-coded credentials
Vulnerable:                                      Secure:
<configuration>                                 <configuration>
<system.web>                                  <system.web>
<authentication mode=”Forms”>         <authentication mode=”Forms”>
<forms>                                                  <forms>
<credentials>                                           …

</credentials>                                   </forms>
</forms>
 
 
参考:《Top 10 security vulnerabilities in .NET configuration files》
 
 
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签:  .net authentication forms compilation asp.net security
相关文章推荐
新的分享
章节导航