注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

那些星星点点的微芒,终会成为燃烧生命的熊熊之光

 
 
 
 
 

日志

 
 

.net 配置文件的十大安全漏洞  

2012-08-24 15:04:20|  分类: 学习在路上 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

在ASP.NET应用程序在生产环境中部署时,需要检查Web.Config文件是否存在以下10个不正确的配置,可能导致安全漏洞,相信大家看一眼就晓得是啥了。。。

 

1、Disabling custom errors      

Vulnerable:                                 Secure:

<configuration>                           <configuration>

<system.web>                            <system.web>

<custom mode=”Off”>                      <customErrors mode=”RemoteOnly”>

 

2、Leaving tracing enabled

Vulnerable:                                     Secure:

<configuration>                                <configuration>

<system.web>                                     <system.web>

<trace enabled=”true”>                 <trace enabled=”false”localOnly=”false”>                      localOnly=”true”>

 

3、Enabling debugging

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                                   <system.web>

<compilation debug=”true”>        <compilation debug=”false”>

 

4、Making cookies accessible through client-side script

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                           <system.web>

<httpCookies                              <httpCookies

httpOnlyCookies=”false”>           httpOnlyCookies=”true”>

 

5、Enabling cookieless session state

Vulnerable:                               Secure:

<configuration>                          <configuration>

<system.web>                                   <system.web>

<sessionState                              <sessionState

cookieless=”UseUri”>                 cookieless=”UseCookies”>

 

6、Enabling cookieless authentication

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms cookieless=”UseUri”>             <forms cookieless=”UseCookies”>

 

7、Failing to require SSL for authentication cookies

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms requireSSL=”false”>               <forms requireSSL=”true”>

 

8、Using sliding expiration

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms slidingExpiration=”true”>        <forms slidingExpiration=”false”>

 

9、Using non-unique authentication cookies

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms name=”.ASPXAUTH”>           <forms name=”{abcd1234…}”

 

10、Using hard-coded credentials

Vulnerable:                                      Secure:

<configuration>                                 <configuration>

<system.web>                                  <system.web>

<authentication mode=”Forms”>         <authentication mode=”Forms”>

<forms>                                                  <forms>

<credentials>                                           …

</credentials>                                   </forms>

</forms>

  评论这张
 
阅读(38)| 评论(0)
推荐

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017