.NET配置文件的10大安全漏洞

在ASP.NET应用程序在生产环境中部署时,需要检查Web.Config文件是否存在以下10个不正确的配置,可能导致安全漏洞:

 

1、Disabling custom errors      

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                           <system.web>

<custom mode=”Off”>                      <customErrors mode=”RemoteOnly”>

 

2、Leaving tracing enabled

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                                   <system.web>

<trace enabled=”true”                 <trace enabled=”false”

localOnly=”false”>                      localOnly=”true”>

 

3、Enabling debugging

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                                   <system.web>

<compilation debug=”true”>        <compilation debug=”false”>

 

4、Making cookies accessible through client-side script

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                           <system.web>

<httpCookies                              <httpCookies

httpOnlyCookies=”false”>           httpOnlyCookies=”true”>

 

5、Enabling cookieless session state

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                                   <system.web>

<sessionState                              <sessionState

cookieless=”UseUri”>                 cookieless=”UseCookies”>

 

6、Enabling cookieless authentication

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms cookieless=”UseUri”>             <forms cookieless=”UseCookies”>

 

7、Failing to require SSL for authentication cookies

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms requireSSL=”false”>               <forms requireSSL=”true”>

 

8、Using sliding expiration

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms slidingExpiration=”true”>        <forms slidingExpiration=”false”>

 

9、Using non-unique authentication cookies

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms name=”.ASPXAUTH”>           <forms name=”{abcd1234…}”

 

10、Using hard-coded credentials

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms>                                                  <forms>

<credentials>                                           …

</credentials>                                   </forms>

</forms>

posted on 2010-03-11 21:32  小小痕  阅读(462)  评论(0编辑  收藏  举报

导航