什么是非标准HTTP动词“DEBUG”用于ASP.NET / IIS? [英] What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
问题描述
我正在读一个网络应用安全公司的报告,他们正在扫描我正在工作的公司的几个网站。从报告看来,似乎没有任何人为的介入,几次尝试使用这样的请求来破坏我们的网站:
I am reading a report from a "web application security" company, whom have been scanning a few websites of the company I am working for. It appears from the report - which seems written without any human involvement - that several attempts where made to break our sites using requests like this:
DEBUG /some_path/some_unexisting_file.aspx
Accept: */*
More-Headers: ...
我们服务器的结果让我感到惊讶:
The result from our server surprises me:
HTTP/1.1 200 OK
Headers: ...
As DEBUG 不似乎在 HTTP 1.1规范中的任何地方都被提及,我期望结果 400错误请求或 405不允许的方法。
As DEBUG does not seem to be mentioned anywhere in the HTTP 1.1 specification I would have expected the result to be 400 Bad Request or 405 Method Not Allowed.
从 SO的早期问题,我了解到 DEBUG 动词用于ASP.NET应用程序的某种远程调试,但不是很多细节可用于该问题或其答案。
From earlier question on SO, I have learned that the DEBUG verb is used in some sort of remote debugging of ASP.NET applications, but not many details are available in that question or its answers.
究竟什么是 DEBUG 动词?为什么在使用此动词时,应用程序应答回答 200 OK 为无效URL?这是一个安全问题吗? ASP.NET开发人员/系统管理员应该注意 DEBUG 动词之间是否存在潜在的安全问题?
Exactly what is the DEBUG verb used for? Why does the application answer 200 OK for invalid URLs when using this verb? Is this a security problem? Are there any potential security problems surrounding the DEBUG verb, that ASP.NET developers/system administrators should be aware of?
任何见解/建议/参考将不胜感激。
Any insights/advice/references will be appreciated.
推荐答案
http://support.microsoft.com/kb/937523
当客户端尝试自动将调试器附加到ASP.NET 2.0应用程序中时,客户端发送包含DEBUG动词的HTTP请求。此HTTP请求用于验证应用程序的进程是否正在运行,并选择要附加的正确进程。
When the client tries to automatically attach the debugger in an ASP.NET 2.0 application, the client sends a HTTP request that contains the DEBUG verb. This HTTP request is used to verify that the process of the application is running and to select the correct process to attach.
它使用Windows认证和DCOM实际上进行调试 - 所以我不知道DEBUG动作本身是一个很大的安全风险(显然,如果你允许RPC流量,那么你有更大的问题)或任何漏洞。 UrlScan会在默认情况下阻止它。
It uses Windows authentication, and DCOM to actually do the debugging though - so I'm not aware of the DEBUG verb itself being a large security risk (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.
我可能会在其上放置一个网络嗅探器来检查哪些信息泄漏。
I'd probably put a network sniffer on it to check what information leaks though.
这篇关于什么是非标准HTTP动词“DEBUG”用于ASP.NET / IIS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
