AppScan Learning to fix vulnerabilities

[AppScan] Fix Vulnerability One: enable unsafe HTTP methods (medium)

Vulnerability background:
"An unsecured HTTP method is enabled" is a "medium" vulnerability. The vulnerability description is: According to AppScan's report, AppScan through the options request, when the response is found in the delete, SEARCH, copy and other methods to allow the method, it is considered a vulnerability.

suggested changes : There are 3 ways to do this:
1. Disabling the WebDAV feature can be a fundamental solution. No new destabilizing factors are introduced
2. Disabling options with URLScan actually does not actually disable, but narrows the scope of the impact. URLScan may have side effects.
3. Disable options and other HTTP methods using URLScan, or allow only the Get/post/head method (disable other methods automatically)

[AppScan] Fix Vulnerability II: autofill HTML attributes that are not disabled for password fields (low)

Inference: The AppScan Discovery Password field does not force the auto-fill feature to be disabled.
Modify suggestion : Set the "AutoComplete" property to "off" correctly

[AppScan] Fix Vulnerability III:HTML comment Sensitive information Disclosure (reference information)

Recommendation : You can click on a specific question and review the request/response click on the next line to highlight the specific issue, and then check the site's corresponding page in the foreground to see if this comment has been removed.

[AppScan] Fix Vulnerability IV: session ID not updated (medium crisis)

Vulnerability background:

"Session ID not updated" is a medium-critical vulnerability, APPSCAN scans the cookie before and after "logon behavior", where jsessionoid (JSP) or Asp.net_sessionid (ASP) is recorded. After the logon behavior occurs, if this value in the cookie does not change, it is determined to be a "session ID not updated" vulnerability.

Modify Suggestions:

JSP Repair method can refer to this warrior's article, http://www.2cto.com/Article/201302/190227.html

Add a snippet of code on the login page: Request.getsession (). invalidate (); // Clear Session Cookie cookie = request.getcookies () [0]; // Get Cookiecookie.setmaxage (0); // When the cookie expires and the user enters the information again, a new session is created.

ASP Repair method can refer to the following code, after the login button click, confirm login, add 3 lines of code to erase the cookie has reached the effect of resetting SessionID.

protected voidBtnlogin_click (Objectsender, EventArgs e) {    //Reset SessionIDsession.clear ();    Session.Abandon (); RESPONSE.COOKIES.ADD (NewHttpCookie ("Asp.net_sessionid","")); //Login Judgment    if(check (txtname.text,txtpassword.text)) {Formsauthentication.setauthcookie ("Admin",false); Response.Redirect ("Default.aspx"); }

The threat of "session ID not updated":

Is that the attacker in some way (such as XSS) placed their own ID into the attacker's browser, the session identity to an attacker's preset value, the attacker will log on normally, if the server received this preset value, then the equivalent of the attacker to obtain the attacker's login permissions, Therefore, the session ID is required to be updated at logon

AppScan Learning to fix vulnerabilities