@manhnguyenv

Welcome to my blog!

Bảo mật ứng dụng Web Based

June 11, 2019 21:47

Bảo mật ứng dụng Web Based (edit)

https://blogs.technet.microsoft.com/uktechnet/2016/10/07/owasp-top-10-or-fixing-web-security-one-item-at-a-time/

https://rehansaeed.com/securing-the-aspnet-mvc-web-config/

https://headmelted.com/securing-asp-net-cookies-a1e1b1648ed

https://www.codeproject.com/Articles/1116318/Points-to-Secure-Your-ASP-NET-MVC-Applications

Hardware: CPU 3.0 GHz, RAM 4GB, HDD 50GB

Software: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.7.3282.0

Common Vulnerabilities in software

The following list of links takes you to documentation detailing techniques to avoid the most common security vulnerabilities in web apps:

Consideration while building your ASP.NET MVC Web Application:

  • Authentication
  • Authorization
  • Anti XSS (Cross Site Scripting)
  • CSRF (Cross Site Request Forgery)
  • Cookie Stealing
  • Over Posting
  • Preventing Open Redirection Attacks
  • Blocking Brute Force Attacks
  • File Upload Protection
  • Prevent SQL Injection in ADO.NET and Entity Framework 6.0
  • Using a Dedicated Error Logging API
  • General Security Recommendations

Acunetix Web Vulnerability Scanner

Một số lỗ hổng phổ biến mà Acunetix có thể phát hiện:

  • Code Execution
  • Directory Traversal
  • File Inclusion
  • Script Source Code Disclosure
  • CRLF Injection
  • Cross Frame Scripting (XFS)
  • PHP Code Injection
  • XPath Injection
  • Full Path Disclosure
  • LDAP Injection
  • Cookie Manipulation
  • Multi Request Parameter Manipulation
  • Blind SQL/XPath Injection
  • Cross Site Scripting in URL
  • Checks Script Errors
  • Cross Site Scripting in Path and PHP SESSID Session Fixation.
  • Directory Listings
  • Source Code Disclosure
  • Microsoft Office Possible Sensitive Information
  • Local Path Disclosure
  • Error Messages

Scanning profile:

  • List of file extensions (danh sách các tập tin mở rộng)

Knowledge Base:

  • HTTP Header
  • HTML response
  • Weak Password
  • DOM-based XSS

Phân tích đánh giá:

  • High (cao)
  • Medium (trung bình)
  • Low (thấp)
  • Information (rất thấp)

Need to extract and audit the following elements and their inputs:

  • Forms
    • Along with ones that require interaction via a real browser due to DOM events.
  • User-interface Forms
    • Input and button groups which don't belong to an HTML <form> element but are instead associated via JS code.
  • User-interface Inputs
    • Orphan <input> elements with associated DOM events.
  • Links
    • Along with ones that have client-side parameters in their fragment
    • With support for rewrite rules.
  • LinkTemplates -- Allowing for extraction of arbitrary inputs from generic paths, based on user-supplied templates -- useful when rewrite rules are not available.
    • Along with ones that have client-side parameters in their URL fragments
  • Cookies
  • Headers
  • Generic client-side elements which have associated DOM events.
  • AJAX-request parameters.
  • JSON request data.
  • XML request data.

Categories

Recent posts