.NET配置文件的10大安全漏洞
2010-03-07 11:16
337 查看
在ASP.NET应用程序在生产环境中部署时,需要检查Web.Config文件是否存在以下10个不正确的配置,可能导致安全漏洞:
1、Disabling custom errors
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<custom mode=”Off”> <customErrors mode=”RemoteOnly”>
2、Leaving tracing enabled
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<trace enabled=”true” <trace enabled=”false”
localOnly=”false”> localOnly=”true”>
3、Enabling debugging
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<compilation debug=”true”> <compilation debug=”false”>
4、Making cookies accessible through client-side script
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<httpCookies <httpCookies
httpOnlyCookies=”false”> httpOnlyCookies=”true”>
5、Enabling cookieless session state
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<sessionState <sessionState
cookieless=”UseUri”> cookieless=”UseCookies”>
6、Enabling cookieless authentication
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms cookieless=”UseUri”> <forms cookieless=”UseCookies”>
7、Failing to require SSL for authentication cookies
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms requireSSL=”false”> <forms requireSSL=”true”>
8、Using sliding expiration
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms slidingExpiration=”true”> <forms slidingExpiration=”false”>
9、Using non-unique authentication cookies
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms name=”.ASPXAUTH”> <forms name=”{abcd1234…}”
10、Using hard-coded credentials
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms> <forms>
<credentials> …
…
</credentials> </forms>
</forms>
参考:《Top 10 security vulnerabilities in .NET configuration files》
1、Disabling custom errors
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<custom mode=”Off”> <customErrors mode=”RemoteOnly”>
2、Leaving tracing enabled
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<trace enabled=”true” <trace enabled=”false”
localOnly=”false”> localOnly=”true”>
3、Enabling debugging
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<compilation debug=”true”> <compilation debug=”false”>
4、Making cookies accessible through client-side script
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<httpCookies <httpCookies
httpOnlyCookies=”false”> httpOnlyCookies=”true”>
5、Enabling cookieless session state
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<sessionState <sessionState
cookieless=”UseUri”> cookieless=”UseCookies”>
6、Enabling cookieless authentication
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms cookieless=”UseUri”> <forms cookieless=”UseCookies”>
7、Failing to require SSL for authentication cookies
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms requireSSL=”false”> <forms requireSSL=”true”>
8、Using sliding expiration
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms slidingExpiration=”true”> <forms slidingExpiration=”false”>
9、Using non-unique authentication cookies
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms name=”.ASPXAUTH”> <forms name=”{abcd1234…}”
10、Using hard-coded credentials
Vulnerable: Secure:
<configuration> <configuration>
<system.web> <system.web>
<authentication mode=”Forms”> <authentication mode=”Forms”>
<forms> <forms>
<credentials> …
…
</credentials> </forms>
</forms>
参考:《Top 10 security vulnerabilities in .NET configuration files》
相关文章推荐
- .NET配置文件的10大安全漏洞
- UTM篇(5.6) 15. 代理选项 ❀ FortiOS 安全配置文件
- CodeProject - 使用.NET配置文件appSettings元素的File属性
- 介绍一款好用的基于.NET的配置文件设计工具
- .NET 2.0中,配置文件app.config的读写(VS2005,C#)
- 程序安全性之配置文件安全
- 10大常见的安全漏洞!你知道吗?
- .Net2.0使用ConfigurationManager读写配置文件
- .NET文件上传的大小限制配置
- 修改PHP配置文件以解决 泄露物理地址 的漏洞
- .Net 配置文件——继承ConfigurationSection实现自定义处理类处理自定义配置节点
- .Net 配置文件——继承ConfigurationSection实现自己定义处理类处理自己定义配置节点
- 浅谈web上存漏洞及原理分析、防范方法(安全文件上存方法)
- .NET平台开源项目速览(1)SharpConfig配置文件读写组件
- .net 配置文件设计工具 Configuration Section Designer
- .Net配置文件常用配置说明
- .net中webform,winform读取xml配置文件的方法
- .Net配置文件常用配置说明
- 【阿里聚安全·安全周刊】阿里双11技术十二讲直播预约|AWS S3配置错误曝光NSA陆军机密文件
- PHP安全编程:文件目录猜测漏洞