Versions Compared

Version Old Version 2 New Version Current
Changes made by

mgivechi

mgivechi

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 4.0

...

<system web>

<customErrors mode="off">”off”>

Secure configuration:

<configuration>

<system web>

<customErrors mode="remote only">”remote only”>

 

Web.config vulnerabilities: Leaving Tracing Enabled in Web-Based Applications

...

<system web>

<trace enabled= "true" “true” localOnly="false" ”false” >

Secure configuration:

<configuration>

<system web>

<trace enabled= "false" “false” localOnly="true" ”true” >

Web.config Vulnerabilities: Enabled Debugging

...

<system web>

<compilation debug="true" ”true” >

Secure configuration:

<configuration>

<system web>

<compilation debug="false" ”false” >

Web.config Vulnerabilities: Cookies Accessible through Client-Side Script

...

<httpCookies httpOnlyCookies="false" ”false” >

Secure configuration:

<configuration>

...

<httpCookies httpOnlyCookies="true" ”true” >

Web.config Vulnerabilities: Enabled Cookieless Session State

...

<sessionState cookieless="UserUri" ”UserUri” >

Secure configuration:

<configuration>

...

<sessionState cookieless="UseCookies" ”UseCookies” >

Web.config Vulnerabilities: Enabled Cookieless Authentication

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms cookieless="UseUri">”UseUri”>

Secure configuration:

<configuration>

<system web>

<authentication mode="Forms" ”Forms” >

<forms cookieless=" UseCookies">” UseCookies”>

Web.config Vulnerabilities: Failure to Require SSL for Authentication Cookies.

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms requireSSL="false">”false”>

Secure configuration:

<configuration>

<system web>

<authentication mode="Forms" ”Forms” >

<forms requireSSL="true">”true”>

Web.config Vulnerabilities: Sliding Expiration.

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms slidingExpiration="true">”true”>

Secure configuration:

<configuration>

<system web>

<authentication mode="Forms" ”Forms” >

<forms slidingExpiration="false">”false”>

Web.config Vulnerabilities: Non-Unique Authentication Cookie

On multiple web based applications unique cookie names must be defiend to avoid duplication.  Globaly Unique Identifier(GUIDs) can be used.

".ASPXAUTH" ASPXAUTH” is the default value for the authentication cookie.

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms name=".ASPXAUTH">ASPXAUTH”>

Secure configuration:

<configuration>

<system web>

<authentication mode="Forms" ”Forms” >

<forms name ="abdd9234mdssdo4......">”abdd9234mdssdo4……”>

Web.config Vulnerabilities: Hardcoded Credential

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms>

<credentials>

...

</credentials>

</forms>

Secure configuration:

...

<system web>

<authentication mode="Forms" ”Forms” >

<forms>

</forms>

 

 Securing Session and View State

...

This causes the ASP.NET to generate Message Authentication Code (MAC) on the page's page’s view state when the page is posting back from client. Configure the validation attribute on the "machine“machine.config" config” file to specify the type of encryption to use for data validation.  Use (3DES) for encryption.

<machineKey validationKey="autogenerate ”autogenerate | value"value”
decryptionKey=" autogenerate | value"value”
validation="SHA1”SHA1|MD5|#DES">#DES”>