XML Repository

Want to secure your MS .NET Application? Start with securing your …

by Sir on March 21, 2011

Let me alpha this commodity adage that even the a lot of defended VB.NET or C# cipher can still be accessible to assorted advance vectors if as a developer you carelessness the added aegis configurations of web.config file. To accomplish affairs worse Web.config files were advised to be afflicted at any time, even afterwards the Web-based applications are in assembly and abounding absence agreement settings are afraid by itself. Actually it is accurate that some of the a lot of accepted vulnerabilities with ASP.NET applications appear not with its backend server ancillary codes VB.NET or C# but instead from the XML cipher that makes up its Web.config files.

In this commodity I will altercate some of these configurations of web.config book which if not appropriately configured ability advance to appliance aegis holes such as affair hijacking, Cross-Site Scripting attacks, and even acquiesce the acknowledgment of clandestine abstracts to attackers.

Custom Absurdity configuration:

Every section of advice an antagonist receives about a targeted arrangement or appliance is a admired weapon. If the agreement is not set again in accident of an unhandled barring the appliance allotment data of that absurdity to the end user which ability acknowledge analytical advice about the basal application/system.

Two a lot of accepted misconfigurations:

Custom absurdity bulletin approach is angry off. An ASP.NET absurdity bulletin with abundant assemblage trace and belvedere versions will be returned.

Custom absurdity bulletin approach for limited user only. No defaultRedirect absurdity page specified. The bounded user on the web server will see a abundant assemblage trace. For limited users, an ASP.NET absurdity bulletin with the server agreement ambience and the belvedere adaptation will be returned.

Secure configuration:

This will alter the user to a custom absurdity page if absurdity occurs.

Debugging configuration:

If ASP.NET debugging is enabled and customError is not set again in the accident of an exception, applications will cover not alone the server information, a abundant barring message, and a assemblage trace, but aswell the absolute antecedent cipher of the page area the absurdity occurred.

Vulnerable configuration:

Secure configuration:

“httpOnly” cookie attributes:

“httpOnly” aspect of accolade can bouncer your appliance adjoin cookie annexation through beheading of applicant ancillary scripts like JavaScript or VBScript. This careful of accolade from the applicant helps to assure Web-based applications from Cross-Site Scripting attacks. Though it is accessible to accredit httpOnly cookie aspect in cipher however, it is easier and added reliable to configure the appliance to automatically accredit HttpOnly for all cookies. To do this, set the httpOnlyCookies aspect of the aspect of web.config book to true.

Secure configuration:

Tracing affection enabled:

Any user can appearance abundant account of contempo requests to the appliance by artlessly browsing to the page trace.axd if aspect of the web.config book is enabled for limited users. A trace log ability acknowledge advice such as ASP.NET version, a complete trace of all the page methods that the appeal caused, including their times of execution; the affair accompaniment and appliance accompaniment keys; the appeal and acknowledgment cookies; the complete set of appeal headers, anatomy variables, and QueryString variables; and assuredly the complete set of server variables.

Vulnerable configuration:

Secure configuration:

Cookieless Affair Accompaniment Enabled:

Microsoft added abutment for cookieless affair tokens via use of the “cookieless” ambience from .NET adaptation 1.1 and onwards. Web applications configured to use cookieless affair accompaniment now stored the affair badge in the page URLs rather than a cookie. For example, the page URL ability change from http://www.example.com/myapp/index.aspx http://www.example.com/myapp/(123456789ABCDEFG)index.aspx

Where 123456789ABCDEFG is the affair id for the user’s accurate session.

While abacus abutment for cookieless affair accompaniment did advance the account of ASP.NET Web applications for users who would not acquire cookies, it aswell had the ancillary aftereffect of authoritative those applications abundant added accessible to affair hijacking attacks.

Vulnerable configuration:

Secure configuration:

Note that Web.config files accomplish in a hierarchical bequest manner. Every Web.config book inherits ethics from any Web.config book in a ancestor directory. All Web.config files on the arrangement accede from the all-around agreement book alleged machine.config amid in