2023年11月21日 星期二

[研究][ASP.NET]低等級弱點修改防護後,網站癱瘓了

[研究][ASP.NET]低等級弱點修改防護後,網站癱瘓了

2023-11-09

最近被要求一些弱點掃瞄發現的【低等級】弱點,也要盡量處理

  • 問題1:Cookies without Secure flag set(Cookies 未設定 Secure flag)
  • 問題2:HTTP Strict Transport Security (HSTS) not implemented(未使用 HSTS 強制安全傳輸技術)
  • 問題3:Possible virtual host found(可能虛擬主機存在)
  • 問題4:Clickjacking: X-Frame-Options header(點閱綁架, User Interface redress attack, UI redress attack, UI redressing)
  • 問題5:Cookies with missing, inconsistent or contradictory properties(部分Cookie屬性設定有衝突、缺少或不符合格式)

********************************************************************************

Web.Config

<?xml version="1.0" encoding="utf-8"?>
<!--
  如需如何設定 ASP.NET 應用程式的詳細資訊,請前往
  https://go.microsoft.com/fwlink/?LinkId=169433
  -->
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.8" />
    <httpRuntime targetFramework="4.8" />
    <!--<httpCookies httpOnlyCookies="true"  />-->
    <!--<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Strict" />-->
    <httpCookies httpOnlyCookies="true" requireSSL="true" />
  </system.web>
  <system.webServer>
    <rewrite>
      <rules>
        <rule name="Force HTTPS" stopProcessing="true">
          <match url="(.*)" />
          <conditions>
            <add input="{HTTPS}" pattern="off" ignoreCase="true" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" />
        </rule>
      </rules>
    </rewrite>
    <httpProtocol>
      <customHeaders>
        <add name="Strict-Transport-Security" value="max-age=31536000" />
        <add name="X-Frame-Options" value="DENY" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
  <system.codedom>
    <compilers>
      <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" />
      <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\&quot;Web\&quot; /optionInfer+" />
    </compilers>
  </system.codedom>
</configuration>

Default.aspx

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" 
Inherits="WebApplication4.Default" %>

<!DOCTYPE html>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
        <div>
            Test
        </div>
    </form>
</body>
</html>


Default.aspx.cs

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace WebApplication4
{
    public partial class Default : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {

        }
    }
}


********************************************************************************

ASP.NET WebForm Web Application 網站;在 Visual Studio 2019 中直接執行正常,但 deploy 後,網站癱瘓了。

(下圖) 用 localhost 連線

HTTP 錯誤 500.19 - Internal Server Error



(下圖) 用 IP 連線 (後來測不出相同狀況)

(待研究)

沒有留言:

張貼留言