Bảo mật ứng dụng Web Based (edit)
Hardware: CPU 3.0 GHz, RAM 4GB, HDD 50GB
Software: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3282.0
The following list of links takes you to documentation detailing techniques to avoid the most common security vulnerabilities in web apps:
- Cross-site scripting attacks
- SQL injection attacks
- Cross-Site Request Forgery (CSRF)
- Open redirect attacks
Consideration while building your ASP.NET MVC Web Application:
- Anti XSS (Cross Site Scripting)
- CSRF (Cross Site Request Forgery)
- Cookie Stealing
- Over Posting
- Preventing Open Redirection Attacks
- Blocking Brute Force Attacks
- File Upload Protection
- Prevent SQL Injection in ADO.NET and Entity Framework 6.0
- Using a Dedicated Error Logging API
- General Security Recommendations
Acunetix Web Vulnerability Scanner
Một số lỗ hổng phổ biến mà Acunetix có thể phát hiện:
- Code Execution
- Directory Traversal
- File Inclusion
- Script Source Code Disclosure
- CRLF Injection
- Cross Frame Scripting (XFS)
- PHP Code Injection
- XPath Injection
- Full Path Disclosure
- LDAP Injection
- Cookie Manipulation
- Multi Request Parameter Manipulation
- Blind SQL/XPath Injection
- Cross Site Scripting in URL
- Checks Script Errors
- Cross Site Scripting in Path and PHP SESSID Session Fixation.
- Directory Listings
- Source Code Disclosure
- Microsoft Office Possible Sensitive Information
- Local Path Disclosure
- Error Messages
- List of file extensions (danh sách các tập tin mở rộng)
- HTTP Header
- HTML response
- Weak Password
- DOM-based XSS
Phân tích đánh giá:
- High (cao)
- Medium (trung bình)
- Low (thấp)
- Information (rất thấp)
Need to extract and audit the following elements and their inputs:
- Along with ones that require interaction via a real browser due to DOM events.
- User-interface Forms
- Input and button groups which don't belong to an HTML <form> element but are instead associated via JS code.
- User-interface Inputs
- Orphan <input> elements with associated DOM events.
- Along with ones that have client-side parameters in their fragment
- With support for rewrite rules.
- LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available.
- Along with ones that have client-side parameters in their URL fragments
- Generic client-side elements which have associated DOM events.
- AJAX-request parameters.
- JSON request data.
- XML request data.