什么是非标准 HTTP 动词“DEBUG"?用于 ASP.NET/IIS? [英] What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
问题描述
我正在阅读一家网络应用安全"公司的报告,该公司一直在扫描我工作的公司的几个网站.从报告中可以看出——该报告似乎没有任何人工参与——多次尝试使用这样的请求来破坏我们的网站:
I am reading a report from a "web application security" company, whom have been scanning a few websites of the company I am working for. It appears from the report - which seems written without any human involvement - that several attempts where made to break our sites using requests like this:
DEBUG /some_path/some_unexisting_file.aspx
Accept: */*
More-Headers: ...
我们服务器的结果让我吃惊:
The result from our server surprises me:
HTTP/1.1 200 OK
Headers: ...
因为 DEBUG 似乎没有在 HTTP 1.1 规范 我预计结果是 400 Bad Request 或 405 Method Not Allowed.
As DEBUG does not seem to be mentioned anywhere in the HTTP 1.1 specification I would have expected the result to be 400 Bad Request or 405 Method Not Allowed.
从 之前关于 SO 的问题 中,我了解到DEBUG 动词用于 ASP.NET 应用程序的某种远程调试,但该问题或其答案中提供的详细信息不多.
From earlier question on SO, I have learned that the DEBUG verb is used in some sort of remote debugging of ASP.NET applications, but not many details are available in that question or its answers.
DEBUG 动词究竟是做什么用的?为什么应用程序在使用此动词时对无效 URL 回答 200 OK?这是安全问题吗?ASP.NET 开发人员/系统管理员应该注意 DEBUG 动词周围是否存在任何潜在的安全问题?
Exactly what is the DEBUG verb used for? Why does the application answer 200 OK for invalid URLs when using this verb? Is this a security problem? Are there any potential security problems surrounding the DEBUG verb, that ASP.NET developers/system administrators should be aware of?
任何见解/建议/参考将不胜感激.
Any insights/advice/references will be appreciated.
推荐答案
http://support.microsoft.com/kb/937523
当客户端尝试在 ASP.NET 2.0 应用程序中自动附加调试器时,客户端会发送一个包含 DEBUG 动词的 HTTP 请求.此 HTTP 请求用于验证应用程序的进程是否正在运行并选择要附加的正确进程.
When the client tries to automatically attach the debugger in an ASP.NET 2.0 application, the client sends a HTTP request that contains the DEBUG verb. This HTTP request is used to verify that the process of the application is running and to select the correct process to attach.
它使用 Windows 身份验证和 DCOM 来实际进行调试 - 所以我不知道 DEBUG 动词本身是一个很大的安全风险(显然,如果你允许 RPC 流量,那么你已经变得更大了问题)或任何漏洞.不过,默认情况下,UrlScan 确实会阻止它.
It uses Windows authentication, and DCOM to actually do the debugging though - so I'm not aware of the DEBUG verb itself being a large security risk (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.
我可能会在其上放置一个网络嗅探器来检查泄漏的信息.
I'd probably put a network sniffer on it to check what information leaks though.
这篇关于什么是非标准 HTTP 动词“DEBUG"?用于 ASP.NET/IIS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
