ASP.NET MVC 5 Azure App ZAP扫描指示代理披露漏洞-我们如何防止该漏洞? [英] ASP.NET MVC 5 Azure App ZAP Scan indicates Proxy Disclosure vulnerability - how can we prevent that?
问题描述
ZAP扫描报告指示检测到2个代理服务器或对其进行了指纹识别.它说它对TRACE,带有Max-Forwards标头的OPTIONS和TRACK方法的攻击都对我们的URL进行了GET和POST方法.我们已经通过网络配置更改或代码更改删除了不必要的标头(例如Server和X-Powered-By ...)以及响应中的asp.net版本标头,但我们仍然看到了这一点.此外,提到的网址仅允许GET或POST,而不允许TRACE,OPTIONS或TRACK方法.我们甚至在web.config中包含以下内容来防止这些动词:
The ZAP scan report indicates that 2 proxy servers were detected or fingerprinted. It says it did both a GET and POST method to our url with attacks of TRACE, OPTIONS with Max-Forwards header, and TRACK method. We had already removed unnecessary headers such as Server and X-Powered-By ...as well as the asp.net version header in the responses, via web config changes or code changes, but we are still seeing this. Furthermore, the url mentioned only allows GET or POST, not the TRACE, OPTIONS, or TRACK methods. We even have the following in our web.config to prevent those verbs:
<system.webServer>
<security>
<requestFiltering removeServerHeader="true">
<verbs allowUnlisted="true">
<add verb="OPTIONS" allowed="false" />
<add verb="TRACK" allowed="false" />
<add verb="TRACE" allowed="false" />
</verbs>
</requestFiltering>
</security>
<httpErrors errorMode="Custom">
<remove statusCode="404" />
<error statusCode="404" path="NotFound.html" responseMode="File" />
<remove statusCode="500" />
<error statusCode="500" path="Error.html" responseMode="File" />
</httpErrors>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
那么我们如何才能解决这个问题,或者我们还有其他方法可以防止这种情况发生?谢谢
So how can we get past this issue or is there anything else we could do to prevent this? Thanks
推荐答案
我认为您无法解决问题.我已经研究了这一部分,并且还在门户网站中提出了申请.
I think you can't solve the peoblem. I have studied this part, and I also raise ticket in portal.
此响应不是来自服务器,它是由azure前端处理的,无法删除特定的标头.
This response is not coming from the server, it is handled by azure frontend and can't remove the specific header.
您无需花费时间来解决此问题,还可以提出Microsoft Azure的支持问题.
You don’t need to spend time to solve this problem, you also can raise a support issue with Microsoft Azure.
这篇关于ASP.NET MVC 5 Azure App ZAP扫描指示代理披露漏洞-我们如何防止该漏洞?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
