.NET配置文件的10大安全漏洞

在ASP.NET应用程序在生产环境中部署时，需要检查Web.Config文件是否存在以下10个不正确的配置，可能导致安全漏洞：

1、Disabling custom errors

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<custom mode=”Off”> <customErrors mode=”RemoteOnly”>

2、Leaving tracing enabled

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<trace enabled=”true” <trace enabled=”false”

localOnly=”false”> localOnly=”true”>

3、Enabling debugging

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<compilation debug=”true”> <compilation debug=”false”>

4、Making cookies accessible through client-side script

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<httpCookies <httpCookies

httpOnlyCookies=”false”> httpOnlyCookies=”true”>

5、Enabling cookieless session state

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<sessionState <sessionState

cookieless=”UseUri”> cookieless=”UseCookies”>

6、Enabling cookieless authentication

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<authentication mode=”Forms”> <authentication mode=”Forms”>

<forms cookieless=”UseUri”> <forms cookieless=”UseCookies”>

7、Failing to require SSL for authentication cookies

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<authentication mode=”Forms”> <authentication mode=”Forms”>

<forms requireSSL=”false”> <forms requireSSL=”true”>

8、Using sliding expiration

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<authentication mode=”Forms”> <authentication mode=”Forms”>

<forms slidingExpiration=”true”> <forms slidingExpiration=”false”>

9、Using non-unique authentication cookies

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<authentication mode=”Forms”> <authentication mode=”Forms”>

<forms name=”.ASPXAUTH”> <forms name=”{abcd1234…}”

10、Using hard-coded credentials

Vulnerable: Secure:

<configuration> <configuration>

<system.web> <system.web>

<authentication mode=”Forms”> <authentication mode=”Forms”>

<forms> <forms>

<credentials> …

…

</credentials> </forms>

</forms>

参考：《Top 10 security vulnerabilities in .NET configuration files》