IBM AppScan Security vulnerability Issue fix (. net)

Issues categorized by problem type

2. Authentication bypass with SQL injection 2
4. Decrypted Login Request 3
6. Login error Message Credential enumeration 1
8. Session ID not updated 2
10. Cross-site Request forgery 1
12. Missing "Content-security-policy" header 9
14. Missing "X-content-type-options" header 9
16. Missing "X-xss-protection" header 9
18. Principal parameters accepted in the query 1
20. Microsoft ASP 2 is enabled for debugging
22. Missing cross-frame Scripting Defense 1
24. Decrypted __viewstate parameter 1
26. Application test Script detected 1
28. Application Error 9
30. Integer overflow 3

Problem fix

1. Authentication Bypass with SQL injection

A: Login, register page input information, filter SQL keywords or key characters;
Submit form pages, query page entries, filter SQL keywords or key characters.
Key words
String Strkeyword = @ "select|insert|delete|from|count\ (|drop table|update|truncate|asc\ (|mid\ (|char\ (|xp_cmdshell| EXEC master|netlocalgroup administrators|:| NET user| "" | Or|and ";
Key characters
String Strregex = @ "[-|;|,|/|\ (|\) |\[|\]|}| {|%| \@|*|!| '] ";

The best solution is to parameterize the query to prevent SQL injection vulnerability attacks.

2. A decrypted login request

A: One argument is that SSL certificates are used and are not resolved for the time being.

3. Logon Error message Credential enumeration

A: When users log in, if you enter the wrong user information, it is best to prompt the same error message alert, such as: Your user name or password input error. Provides enumeration hints that are prone to brute force cracking.

4. Session ID not updated

A: Change the session identifier after logging in, primarily for the login page.

Reference scenario: http://www.2cto.com/Article/201302/190228.html test has no effect
http://blog.itpub.net/12639172/viewspace-441971/Test OK
On the login page, add the Red Line bold section
protected void Page_Load (object sender, EventArgs e)
{
if (! IsPostBack)
{
　　　Session.Abandon ();
Clear SessionID
RESPONSE.COOKIES.ADD (New HttpCookie ("Asp.net_sessionid", ""));
Txt_fileld1.focus ();
}
}

5. Cross-site Request forgery

A: When requesting each page, determine if the host and port are consistent with the profile information.
Online Reference Method:
1, using Referer to judge,
However, it is possible for a user to set up a browser so that it does not provide Referer when sending a request, and users will not be able to access the site.
2. Add token to the request and verify
The key is to put in the request information that the hacker cannot forge, and that the information does not exist in the cookie,
A random code can be generated on the server side and placed in the hidden element of the form, which is checked on the server side when the form is submitted.

6. Missing "Content-security-policy" header

A: Add the following response header in the Web. config configuration file
<system.webServer>
<customHeaders>
<add name= "x-content-type-options" value= "Nosniff"/>
<add name= "x-xss-protection" value= "1;mode=block"/>
<add name= "x-frame-options" value= "Sameorigin"/>
<add name= "Content-security-policy" value= "default-src ' self '"/>
</customHeaders>
</system.webServer>

7. Missing "X-content-type-options" header

A: Add the following response header to the Web. config configuration file, and add the node to question 6th

<add name= "x-content-type-options" value= "Nosniff"/>

8. Missing "X-xss-protection" header

A: Add the following response header to the Web. config configuration file, and add the node to question 6th
<add name= "x-xss-protection" value= "1;mode=block"/>

9. Principal parameters accepted in the query

Answer: Not resolved

10. Microsoft ASP. NET debugging is enabled

A: After the application is published, modify the properties of the configuration file node compilation debug to False.
<compilation debug= "false" targetframework= "4.0"/>

11. Missing cross-frame scripting defenses

A: Add the following response header to the Web. config configuration file, and add the node to question 6th
<add name= "Content-security-policy" value= "default-src ' self '"/>

Note that after the addition, different browsers may appear, and there will be a different response to compatibility issues. For example, the fast mode will appear the page internal CSS is invalid.

12. Decrypted __viewstate parameter

A: Adding pages in the Web. config configuration file viewStateEncryptionMode the properties to always.
<pages controlrenderingcompatibilityversion= "3.5" clientidmode= "autoid" viewstateencryptionmode= "Always"/>

13. Application test Script detected

A: During the development of the system, the test page added will need to be "excluded from the project" Before the program is released.

14. Application Error

Answer: The Application error page appears.
such as: Server Error in '/' Application.

One is to resolve the application errors that belong to the developer, and the second is to add the default error page to the configuration file.

<customerrors mode= "on" defaultredirect= "~/error.html"/>
15. Integer overflow

A: Check the data type and boundary range for the parameters in the requested URL.
such as/applyshow.aspx?id=99999999999999999999
Case Two: Login page button parameter, in the request body, did not find the reason???
Http://localhost:83/login.aspx entity: Imgbtndl.y (Parameter)

16. WebResource.axd

Webresources.axd?d=xyz.
One feature of WebResource.axd is that it generates 500 errors for the wrong ciphertext (that is, XYZ in d=xyz) and 404 errors for the correct ciphertext, which creates enough hints

Resources:
Http://www.2cto.com/Article/201009/75162.html

http://pan.baidu.com/share/link?shareid=3851057069&uk=2164275402

Http://www.cnblogs.com/JeffreyZhao/archive/2010/09/25/things-about-padding-oracle-vulnerability-in-asp-net.html

http://www.cnblogs.com/shanyou/archive/2010/09/25/1834889.html Padding Oracle Attack Detection Tool

Workaround: http://www.cnblogs.com/shanyou/archive/2010/09/24/1833757.html Chinese version
http://weblogs.asp.net/scottgu/important-asp-net-security-vulnerability English version

Step one. Adding Configuration nodes

. NET 3.5 and previous versions, adding configuration nodes
<customerrors mode= "on" defaultredirect= "~/error.html"/>
. NET 3.5 SP1 or. NET 4.0 add the following configuration node, note that the bold part must be
<customerrors mode= "on" defaultredirect= "~/error.aspx" redirectmode= "Responserewrite"/>

Step Two: Add the default error page

<%@ page language= "C #" autoeventwireup= "true"%><%@ Import namespace= "System.Security.Cryptography"%> <%@ Import namespace= "system.threading"%><script runat= "server" >   void Page_Load () {      byte[] delay = new Byte[1];      RandomNumberGenerator PRNG = new RNGCryptoServiceProvider ();      Prng. GetBytes (delay);      Thread.Sleep ((int) delay[0]);              IDisposable disposable = prng as IDisposable;      if (disposable! = NULL) {disposable. Dispose (); }    }</script>
　　
If anyone has a better solution, thank you for the offer!
IBM AppScan Security vulnerability Issue fix (. net)