[研究][ASP.NET]低等級弱點修改防護後,網站癱瘓了
2023-11-09
最近被要求一些弱點掃瞄發現的【低等級】弱點,也要盡量處理
- 問題1:Cookies without Secure flag set(Cookies 未設定 Secure flag)
- 問題2:HTTP Strict Transport Security (HSTS) not implemented(未使用 HSTS 強制安全傳輸技術)
- 問題3:Possible virtual host found(可能虛擬主機存在)
- 問題4:Clickjacking: X-Frame-Options header(點閱綁架, User Interface redress attack, UI redress attack, UI redressing)
- 問題5:Cookies with missing, inconsistent or contradictory properties(部分Cookie屬性設定有衝突、缺少或不符合格式)
********************************************************************************
Web.Config
<?xml version="1.0" encoding="utf-8"?> <!-- 如需如何設定 ASP.NET 應用程式的詳細資訊,請前往 https://go.microsoft.com/fwlink/?LinkId=169433 --> <configuration> <system.web> <compilation debug="true" targetFramework="4.8" /> <httpRuntime targetFramework="4.8" /> <!--<httpCookies httpOnlyCookies="true" />--> <!--<httpCookies httpOnlyCookies="true" requireSSL="true" sameSite="Strict" />--> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> <system.webServer> <rewrite> <rules> <rule name="Force HTTPS" stopProcessing="true"> <match url="(.*)" /> <conditions> <add input="{HTTPS}" pattern="off" ignoreCase="true" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}/{R:1}" redirectType="Permanent" /> </rule> </rules> </rewrite> <httpProtocol> <customHeaders> <add name="Strict-Transport-Security" value="max-age=31536000" /> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> </system.webServer> <system.codedom> <compilers> <compiler language="c#;cs;csharp" extension=".cs" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.CSharpCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:1659;1699;1701" /> <compiler language="vb;vbs;visualbasic;vbscript" extension=".vb" type="Microsoft.CodeDom.Providers.DotNetCompilerPlatform.VBCodeProvider, Microsoft.CodeDom.Providers.DotNetCompilerPlatform, Version=2.0.1.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" warningLevel="4" compilerOptions="/langversion:default /nowarn:41008 /define:_MYTYPE=\"Web\" /optionInfer+" /> </compilers> </system.codedom> </configuration> |
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication4.Default" %> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head runat="server"> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title></title> </head> <body> <form id="form1" runat="server"> <div> Test </div> </form> </body> </html> |
Default.aspx.cs
using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace WebApplication4 { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { } } } |
********************************************************************************
ASP.NET WebForm Web Application 網站;在 Visual Studio 2019 中直接執行正常,但 deploy 後,網站癱瘓了。
(下圖) 用 localhost 連線
HTTP 錯誤 500.19 - Internal Server Error
(待研究)
沒有留言:
張貼留言