Basic points by maintaining which we could reduce asp.net application vulnerability. Most of the time developer's mistakes become the main reason of hijacking sites. These are the bone of application which should be straight otherwise can band :)
<configuration>
<compilation debug="true"/>
</configuration>
Solution: It should be false.
2. Error and Custom errors configurations
<customErrors mode="Off" />
Solution: It should be
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
Solution: Should be
<pages clientIDMode="Static" validateRequest="true" /> based on your requirement you can explicitly
turn on page specific
<%@ Page Language="C#" ValidateRequest="false" %>
<machineKey validation="AES|SHA1"/>
5. Server Information in response header
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Solution:
In globel.asax
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
//X-Frame-Options:DENY
}
By default, the HttpOnly property is set to false, unless specified otherwise in configuration.
If we create cookie from default flag set, we would able to call further in client script. like
<script type="text/javascript">
alert(getCookie("MyHttpCookie"));
// Because the cookie is set to HttpOnly,
</script>
Solution:
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
and
Cookie without Secure flag set
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
HTTP/1.1 304 Not Modified
Cache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT
Solution:
<modules runAllManagedModulesForAllRequests="true">
Solution:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-XSS-Protection", "1; mode=block");
}
solution:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
Solution:
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<!--<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
<deny verbs="PROPFIND" users="*" />
<deny verbs="COPY" users="*" />
<deny verbs="LOCK" users="*" />
<deny verbs="UNLOCK" users="*" />
<deny verbs="PROPPATCH" users="*" />
<deny verbs="MKCOL" users="*" />
<deny verbs="MOVE" users="*" />
<deny verbs="DELETE" users="*" />-->
</authorization>
</system.web>
Top 10+ Asp.net vulnerability
1. Disable debug
<configuration>
<compilation debug="true"/>
</configuration>
Solution: It should be false.
2. Error and Custom errors configurations
<customErrors mode="Off" />
Solution: It should be
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
3. Page validation with bad request
<pages clientIDMode="Static" validateRequest="false" />Solution: Should be
<pages clientIDMode="Static" validateRequest="true" /> based on your requirement you can explicitly
turn on page specific
<%@ Page Language="C#" ValidateRequest="false" %>
4. Unencrypted __VIEWSTATE parameter
Solution:<machineKey validation="AES|SHA1"/>
5. Server Information in response header
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Solution:
In globel.asax
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
6. Clickjacking: X-Frame-Options header missing
In globel.asaxprotected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
//X-Frame-Options:DENY
}
7. Cookie without Secure flag set
By default, the HttpOnly property is set to false, unless specified otherwise in configuration.If we create cookie from default flag set, we would able to call further in client script. like
<script type="text/javascript">
alert(getCookie("MyHttpCookie"));
// Because the cookie is set to HttpOnly,
</script>
Solution:
// Create an HttpOnly cookie.
HttpCookie myHttpOnlyCookie = new HttpCookie("LastVisit", DateTime.Now.ToString());
// Setting the HttpOnly value to true, makes
// this cookie accessible only to ASP.NET.
myHttpOnlyCookie.HttpOnly = true;
myHttpOnlyCookie.Name = "MyHttpOnlyCookie";
Response.AppendCookie(myHttpOnlyCookie);
and
Cookie without Secure flag set
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
8. remove server header from static content
HTTP/1.1 304 Not ModifiedCache-Control: no-cache
Accept-Ranges: bytes
Etag: "a3f2a35bdf45ce1:0"
Server: Microsoft-IIS/8.0
Date: Tue, 25 Jun 2013 18:33:16 GMT
Solution:
<modules runAllManagedModulesForAllRequests="true">
9. Enable Cross-Site Scripting Filter, Web Browser XSS Protection Not Enabled
Solution:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-XSS-Protection", "1; mode=block");
}
10. Set X-Content-Type-Options
The only defined value, "nosniff", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.solution:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Add("X-Content-Type-Options", "nosniff");
}
11.http options method is enabled on this web server
Solution:
<system.web>
<authorization>
<deny verbs="OPTIONS" users="*" />
<!--<deny verbs="TRACE" users="*" />
<deny verbs="HEAD" users="*" />
<deny verbs="PROPFIND" users="*" />
<deny verbs="COPY" users="*" />
<deny verbs="LOCK" users="*" />
<deny verbs="UNLOCK" users="*" />
<deny verbs="PROPPATCH" users="*" />
<deny verbs="MKCOL" users="*" />
<deny verbs="MOVE" users="*" />
<deny verbs="DELETE" users="*" />-->
</authorization>
</system.web>