|
Recent
Articles |
BlogEngine.NET: Events In The File & Image Handlers
In BlogEngine.NET, all files and images that are inserted on a post will be served using an HttpHandler. Actually, they are served by FileHandler and ImageHandler respectively. They are almost identically and...
New Blog Engine Written In ASP.NET 1.1
For more than a year, I've been blogging on the excellent dasBlog engine and it has been good. I really like the fact that it runs on XML instead of a database. However, it is written in ASP.NET 1.1 and is quite cumbersome to extend and that's a problem...
ASP.NET: Count Clicks On External Links
On a small test website I'm building in my spare time, I wanted a way to count the number of clicks to the outgoing links from that site. Imaging hosting banners or other affiliate links where you get paid per click...
Creating Reusable User Controls In ASP.NET
In almost every web project of any size, you would probably use a lot of user controls to separate the content and UI logic. Many of the user controls are used only at one place in the solution while others are used by various pages and other user controls. The ones...
ASP.NET: Is It Too Easy?
Some time ago, I wrote a post called "Is ASP.NET too difficult?" and I strongly believe that it is.
Yet at the same time it cause problems by making it too easy to do relative advanced programming. It doesn't seem...
ASP.NET: Make GridView Control Accessible
The GridView is a new web control in ASP.NET 2.0 and is an improvement of the old DataGrid. One of the biggest issues with the DataGrid was the lack of standard compliance and accessibility. This has been fixed...
|
|
 |
|
05.04.07
Application Security Vulnerabilities In Web.config Files
 By
Bryan Sullivan
These days, the biggest threat to an organization's network security comes from its public Web site and the Web-based applications found there.
Unlike internal-only network services such as databases-which can be sealed off from the outside via firewalls-a public Web site is generally accessible to anyone who wants to view it, making application security an issue. As networks have become more secure, vulnerabilities in Web applications have inevitably attracted the attention of hackers, both criminal and recreational, who have devised techniques to exploit these holes. In fact, attacks upon the Web application layer now exceed those conducted at the network level, and can have consequences which are just as damaging.
Some enlightened software architects and developers are becoming educated on these threats to application security and are designing their Web-based applications with security in mind. By "baking in" application security from the start of the development process, rather than trying to "brush it on" at the end, you are much more likely to create secure applications that will withstand hackers' attacks. However, even the most meticulous and security-aware C# or VB.NET code can still be vulnerable to attack if you neglect to secure the Web.config configuration files of your application. Incorrectly configured Web-based applications can be just as dangerous as those that have been incorrectly coded. To make matters worse, many configuration settings actually default to insecure values.
This article lists five of the "worst offenders" of misconfigurations of application security that are universally problematic for all ASP.NET Web-based applications. Part two of this article will list an additional five misconfigurations that are specifically applicable to ASP.NET sites that use Web Forms authentication. So without further ado, let's get started!
1. Custom Errors Disabled
When you disable custom errors as shown below, ASP.NET provides a detailed error message to clients by default.
Vulnerable configuration:
Continue reading this article.
About the Author:
Bryan Sullivan is a development manager at SPI Dynamics, a Web application security products company. Bryan manages the DevInspect and QAInspect Web security products, which help programmers maintain application security throughout the development and testing process. He has a bachelor’s degree in mathematics from Georgia Tech and 11 years of experience in the information technology industry. Bryan is currently coauthoring a book with noted security expert Billy Hoffman on Ajax security, which will be published in summer 2007 by Addison-Wesley.
|
