Saturday 2 January 2016

How to reduce vulnerability from Asp.net?

Basic points by maintaining which we could reduce asp.net application vulnerability. Most of the time developer's mistakes become the main reason of hijacking sites. These are the bone of application which should be straight otherwise can band :)

Top 10+ Asp.net vulnerability 


1. Disable debug 


 <configuration>
   <compilation debug="true"/>
 </configuration>

 Solution: It should be false.

 2. Error and Custom errors configurations
 <customErrors mode="Off" />

 Solution: It should be
 <customErrors mode="On" defaultRedirect="YourErrorPage.htm" />

 3. Page validation with bad request

 <pages clientIDMode="Static" validateRequest="false"  />

 Solution: Should be
 <pages clientIDMode="Static" validateRequest="true"  /> based on your requirement you can explicitly
 turn on page specific
 <%@ Page Language="C#" ValidateRequest="false" %>


 4. Unencrypted __VIEWSTATE parameter

 Solution:
 <machineKey validation="AES|SHA1"/>

 5. Server Information in response header
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET

Solution:
In globel.asax
protected void Application_PreSendRequestHeaders()
    {
        Response.Headers.Remove("Server");
        Response.Headers.Remove("X-AspNet-Version");
        Response.Headers.Remove("X-AspNetMvc-Version");
    }


6. Clickjacking: X-Frame-Options header missing

In globel.asax
protected void Application_PreSendRequestHeaders()
    {
Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
//X-Frame-Options:DENY
    }


7. Cookie without Secure flag set

By default, the HttpOnly property is set to false, unless specified otherwise in configuration.
If we create cookie from default flag set, we would able to call further in client script. like
<script type="text/javascript">
    alert(getCookie("MyHttpCookie"));
    // Because the cookie is set to HttpOnly,
</script>

Solution:
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);


and

Cookie without Secure flag set
 <httpCookies httpOnlyCookies="true" requireSSL="true"/>






8. remove server header from static content

HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT

Solution:
<modules runAllManagedModulesForAllRequests="true">



9. Enable Cross-Site Scripting Filter, Web Browser XSS Protection Not Enabled


Solution:
protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Add("X-XSS-Protection", "1; mode=block");
}

10. Set X-Content-Type-Options

The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.
solution:
protected void Application_PreSendRequestHeaders()
{
    Response.Headers.Add("X-Content-Type-Options", "nosniff");
}


11.http options method is enabled on this web server


Solution:
<system.web>
    <authorization>
        <deny verbs="OPTIONS" users="*" />
        <!--<deny verbs="TRACE" users="*" />
        <deny verbs="HEAD" users="*" />
        <deny verbs="PROPFIND" users="*" />
        <deny verbs="COPY" users="*" />
        <deny verbs="LOCK" users="*" />
        <deny verbs="UNLOCK" users="*" />
        <deny verbs="PROPPATCH" users="*" />
        <deny verbs="MKCOL" users="*" />
        <deny verbs="MOVE" users="*" />
        <deny verbs="DELETE" users="*" />-->
    </authorization>
</system.web>