Monday, 1 October 2007

Top 5 Application Security Vulnerabilities in Web.config Files

1 .Cookieless Session State Enabled : The most effective way to prevent these session hijacking attacks is to force your Web application to use cookies to store the session token. This is accomplished by setting the "cookieless" attribute of the <sessionState> element to "UseCookies" or "false."

Vulnerable configuration:
<configuration>
<system.web>
<sessionState cookieless="UseUri">


Secure configuration::
<configuration>
<system.web>
<sessionState cookieless="UseCookies">



2. Cookies Accessible through Client-Side Script: Any cookie marked with this property will be accessible only from server-side code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to protect Web-based applications from Cross-Site Scripting attacks

Vulnerable configuration:
<configuration>
<system.web>
<httpCookies httpOnlyCookies="false">



Secure configuration::
<configuration>
<system.web>
<httpCookies httpOnlyCookies="true">



3. Custom Errors Disabled: When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default. The more information a hacker can gather about a Web site, the more likely it is that he will be able to successfully attack it.

Vulnerable configuration:
<configuration>
<system.web>
<customErrors mode="Off">



Secure configuration:
<configuration>
<system.web>
<customErrors mode="RemoteOnly">





4. Leaving Tracing Enabled in Web-Based Applications: The trace feature of ASP.NET is one of the most useful tools that you can use to ensure application security by debugging and profiling your Web-based applications. Unfortunately, it is also one of the most useful tools that a hacker can use to attack your Web-based applications if it is left enabled in a production environment.


Vulnerable configuration:
<configuration>
<system.web>
<trace enabled="true" localOnly="false">



Secure configuration::
<configuration>
<system.web>
<trace enabled="false" localOnly="true">





5. Debugging Enabled : Leaving debugging enabled is dangerous because you are providing inside information to end users who shouldn't have access to it, and who may use it to attack your Web-based applications. For example, if you have enabled debugging and disabled custom errors in your application, then any error message displayed to an end user of your Web-based applications will include not only the server information, a detailed exception message, and a stack trace, but also the actual source code of the page where the error occurred

Vulnerable configuration:
<configuration>
<system.web>
<compilation debug="true">



Secure configuration::
<configuration>
<system.web>
<compilation debug="false">



Smile while programming J…………..

kick it on DotNetKicks.com

3 comments:

  1. Great article, any about ASP.NET Security.

    ReplyDelete
  2. this also might be use ful for you guys

    http://sanjevsharma.blogspot.com/2008/05/aspnet-top-security-issues-checklist.html

    ReplyDelete
  3. Nice, Brief and to the point

    ReplyDelete