Bảo mật ứng dụng Web Based (edit)

https://blogs.technet.microsoft.com/uktechnet/2016/10/07/owasp-top-10-or-fixing-web-security-one-item-at-a-time/

https://rehansaeed.com/securing-the-aspnet-mvc-web-config/

https://headmelted.com/securing-asp-net-cookies-a1e1b1648ed

https://www.codeproject.com/Articles/1116318/Points-to-Secure-Your-ASP-NET-MVC-Applications

Hardware: CPU 3.0 GHz, RAM 4GB, HDD 50GB

Software: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3282.0

Common Vulnerabilities in software

The following list of links takes you to documentation detailing techniques to avoid the most common security vulnerabilities in web apps:

• Cross-site scripting attacks
• SQL injection attacks
• Cross-Site Request Forgery (CSRF)
• Open redirect attacks

Consideration while building your ASP.NET MVC Web Application:

• Authentication
• Authorization
• Anti XSS (Cross Site Scripting)
• CSRF (Cross Site Request Forgery)
• Cookie Stealing
• Over Posting
• Preventing Open Redirection Attacks
• Blocking Brute Force Attacks
• File Upload Protection
• Prevent SQL Injection in ADO.NET and Entity Framework 6.0
• Using a Dedicated Error Logging API
• General Security Recommendations

Acunetix Web Vulnerability Scanner

Một số lỗ hổng phổ biến mà Acunetix có thể phát hiện:

• Code Execution
• Directory Traversal
• File Inclusion
• Script Source Code Disclosure
• CRLF Injection
• Cross Frame Scripting (XFS)
• PHP Code Injection
• XPath Injection
• Full Path Disclosure
• LDAP Injection
• Cookie Manipulation
• Multi Request Parameter Manipulation
• Blind SQL/XPath Injection
• Cross Site Scripting in URL
• Checks Script Errors
• Cross Site Scripting in Path and PHP SESSID Session Fixation.
• Directory Listings
• Source Code Disclosure
• Microsoft Office Possible Sensitive Information
• Local Path Disclosure
• Error Messages

Scanning profile:

• List of file extensions (danh sách các tập tin mở rộng)

Knowledge Base:

• HTTP Header
• HTML response
• Weak Password
• DOM-based XSS

Phân tích đánh giá:

• High (cao)
• Medium (trung bình)
• Low (thấp)
• Information (rất thấp)

Need to extract and audit the following elements and their inputs:

• Forms
  • Along with ones that require interaction via a real browser due to DOM events.
• User-interface Forms
  • Input and button groups which don't belong to an HTML <form> element but are instead associated via JS code.
• User-interface Inputs
  • Orphan <input> elements with associated DOM events.
• Links
  • Along with ones that have client-side parameters in their fragment
  • With support for rewrite rules.
• LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available.
  • Along with ones that have client-side parameters in their URL fragments
• Cookies
• Headers
• Generic client-side elements which have associated DOM events.
• AJAX-request parameters.
• JSON request data.
• XML request data.