Detect common ASP. NET configuration Security Vulnerabilities

See a foreign MVP Troy huntArticle: 67% of ASP. NET websites have serious configuration related security vulnerabilities. The general idea is that about 67% of ASP. NET websites have security risks due to improper configuration based on the statistics collected by the user.

Troy Hunt's analysis data comes from a simple website scanning Service developed by him, asafaweb, and automatic security analyser for ASP. NET websites. As long as users provide URLs for ASP. NET websites published on the internet, asafaweb sends several requests to check whether the website has some common security vulnerabilities.

From the website records scanned from 7,184 to this year, a total of test results were excluded from the asafaweb test site and non-Asp. Net website. Hunt made simple statistics. Although I think this result may not reflect the actual situation accurately due to the fact that the user actively provides the website for detection, or even cannot exclude the fact that the user will deliberately create a problem situation to test the asafaweb check effect, however, it is of great reference value and worth our attention to ASP.. net.

The following are common ASP. NET configuration Security Vulnerabilities listed by Hunt:

1. the error message is not hidden.
   developers often easily troubleshoot , but forget to remove it when it is officially launched, once Program fails, the Code details and even program fragments of related programs are displayed naked. Hackers may find the relevant file location, database information, component version... and other information to provide guidance on intrusion.
2. close request Validation
   according to hunt statistics, nearly 30% of websites haimai disabled the whole site request verification. If necessary, close the page. At least the damage surface is reduced. However, if you have a problem, it is recommended to keep the backdoor closed.
3. Windows/iis not updated
   the http post hash DoS vulnerability was revealed at the end of last year. With simple requests, attackers can make the website busy and stay paralyzed. Microsoft released the final version in February, but it seems that there are still 50% of websites not updated yet.
4. unlimited elmah access
   an article entitled "Uncle Shouji (18): Using elmah and Google to experience the pleasure of an intrusion" was also mentioned before the risk of elmah access settings, A little careless, the secrets in the program will be exposed, very dangerous, and even hackers may counterfeit ASP. net session impersonates an identity, which is terrible.
5. trace not closed
   although the proportion is not high, the trace. axd hacker can still collect a lot of important information. Remember to disable trace when it is launched to the official environment.