[研究][ASP.NET] Fortify SCA v17.20 報告 Web.config ( Insecure Transport: Datbase) Critical 問題

[研究][ASP.NET] Fortify SCA v17.20 報告 Web.config ( Insecure Transport: Datbase) Critical 問題

2018-04-16

Web.Config 的第十行是 providerName="System.Data.SqlClient" />
所以要連第九行一起看，也就是

<add name="TestDBConnectionString" connectionString="Data Source=.;Initial Catalog=TestDB;Persist Security Info=True;User ID=testuser;Password=P@ssw0rd"       providerName="System.Data.SqlClient" />

Details 的說明

Abstract: The application is configured to communicate with its database server in plaintext over unencrypted channels, making the communicated data vulnerable to interception via man-in-the-middle (MiTM) attacks. Explanation: The application communicates with its database server over unencrypted channels and may pose a significant security risk to the company and users of that application. In this case, an attacker can modify the user entered data or even execute arbitrary SQL commands against the database server. Example 1: The following configuration causes the application to communicate with its database server over unencrypted channels: <connectionStrings>   <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword;" providerName="System.Data.SqlClient" /> </connectionStrings>

建議 (Recommendations) 的說明

Recommendations: Most database servers offer encrypted alternatives on different ports that use SSL/TLS to encrypt all the data being sent over the wire. Always use these alternatives when possible. Example 2: The following configuration causes the application to communicate with its database server over encrypted channels: <connectionStrings>   <add name="Test" connectionString="Data Source=210.10.20.10,1433; Initial Catalog=myDataBase;User ID=myUsername;Password=myPassword; Encrypt=yes;" providerName="System.Data.SqlClient" /> </connectionStrings>

解決方法

[研究] SQL Server 2016使用 SSL 加密連線
http://shaurong.blogspot.com/2017/09/sql-server-2016-ssl.html

(完)

相關

[研究][ASP.NET] Fortify SCA v17.20 報告 Web.config ( Insecure Transport: Datbase) Critical 問題
http://shaurong.blogspot.com/2018/04/aspnet-fortify-sca-v1720-webconfig.html

[研究][ASP.NET] 用了 AntiXssEncoder.HtmlEncoder 仍被 Fortify SCA v17.20 說有問題
http://shaurong.blogspot.com/2018/04/aspnet-antixssencoderhtmlencoder.html

[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20
http://shaurong.blogspot.com/2018/04/javascript-ckeditor-491-fortify-sca.html

[研究][ASP.NET][JavaScript] hideShowPassword 與 Fortify SCA 白箱測試
http://shaurong.blogspot.com/2018/04/aspnetjavascript-hideshowpassword.html