[研究][ASP.NET]低等級弱點修改防護後,網站癱瘓了
2023-11-09
最近被要求一些弱點掃瞄發現的【低等級】弱點,也要盡量處理
- 問題1:Cookies without Secure flag set(Cookies 未設定 Secure flag)
- 問題2:HTTP Strict Transport Security (HSTS) not implemented(未使用 HSTS 強制安全傳輸技術)
- 問題3:Possible virtual host found(可能虛擬主機存在)
- 問題4:Clickjacking: X-Frame-Options header(點閱綁架, User Interface redress attack, UI redress attack, UI redressing)
- 問題5:Cookies with missing, inconsistent or contradictory properties(部分Cookie屬性設定有衝突、缺少或不符合格式)
********************************************************************************
Web.Config
<?xml version="1.0" encoding="utf-8"?>
<!--
如需如何設定 ASP.NET 應用程式的詳細資訊,請前往
https://go.microsoft.com/fwlink/?LinkId=169433
-->
<configuration>
<system.web>
<compilation debug="true" targetFramework="4.8" />
<httpRuntime targetFramework="4.8" />
<!--<httpCookies httpOnlyCookies="true" />-->
<!--<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Strict" />-->
<httpCookies httpOnlyCookies="true" requireSSL="true" />
</system.web>
<system.webServer>
<rewrite>
<rules>
<rule name="Force HTTPS" stopProcessing="true">
<match url="(.*)" />
<conditions>
<add input="{HTTPS}" pattern="off" ignoreCase="true" />
</conditions>
<action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
</rule>
</rules>
</rewrite>
<httpProtocol>
<customHeaders>
<add name="Strict-Transport-Security" value="max-age=31536000" />
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
</system.webServer>
<system.codedom>
<compilers>
<compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
<compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+" />
</compilers>
</system.codedom>
</configuration>
|
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs"
Inherits="WebApplication4.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
Test
</div>
</form>
</body>
</html>
|
Default.aspx.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication4
{
public partial class Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
}
}
|
********************************************************************************
ASP.NET WebForm Web Application 網站;在 Visual Studio 2019 中直接執行正常,但 deploy 後,網站癱瘓了。
(下圖) 用 localhost 連線
HTTP 錯誤 500.19 - Internal Server Error
(待研究)
沒有留言:
張貼留言