preparing一个ASP.Net网站渗透测试 [英] Preparing an ASP.Net website for penetration testing

问题描述

多年来，我有几个我已经制定提交客户端渗透测试的网站。大多数被强调的问题时，返回结果的时候涉及到的ASP.NET的默认行为，如可能的跨站点脚本攻击等。

Over the years I have had a few of the websites I have developed submitted for penetration testing by clients. Most of the time the issues that are highlighted when the results return relate to the default behaviour of ASP .Net such as possible cross site scripting attacks etc.

是否有哪些默认情况下在ASP .NET应用程序中存在漏洞，其次是有什么好的清单跟随这将有助于prepare网站提前任何好文章？

Are there any good articles on which vulnerabilities exist by default in an ASP .Net application and secondly are there any good checklists to follow which will help prepare a site in advance?

推荐答案

我认为，当时的检查表变化及其与经验理论在一起。我检查我的日志，总是看到他们试图穿透我的网站的新途径。

I think that the check list change by the time and its theory with experience together. I check my log and always see new ways that they try to penetrate my site.

一个很好的页面，有穿透力的很多文章：
http://www.cgisecurity.com/pentest.html

A good page that have many articles on penetration: http://www.cgisecurity.com/pentest.html

一些试图渗透在我的网站的方式。

Some of the ways that try to penetrate on my sites.

• SQL注入，所以我检查，并调用我的网站上链接线选择命令块的用户。我还检查其他SQL命令。


• Forgoten的JavaScript filebrowser 我看到最近他们寻找类似的链接： wwwmysite.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=

• sql injections, so I check and block users that call my sites with the "select" command on the url line. I check also for other sql commands.
• Forgoten javascript filebrowser I see that lately they search for links like : wwwmysite.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=

有关找到他们我监督找不到网页事件。当然，如果页面发现那么他们渗透......怎么过其更可能看到失败的尝试，看看他们在找什么。

For find them I monitor the "Page not found" event. Of course if page found then they penetrate... how ever its more possible to see failed tries and see what they looking for.

这天也是我看到的很多预言攻击。我发现他们并使用此code座攻击者的完整IP：<一href=\"http://stackoverflow.com/questions/1821243/cryptographicexception-padding-is-invalid-and-cannot-be-removed-and-validation-o/2551810#2551810\">CryptographicException:填充是无效的，不能被删除，视图状态MAC验证失败

This days also I see a lot of oracle attacks. I found them and block the full ip of attacker using this code: CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed

我也遵循了这个问题的答案：<一href=\"http://stackoverflow.com/questions/2498599/can-some-hacker-steal-the-cookie-from-a-user-and-login-with-that-name-on-a-web-si\">Can一些黑客从用户窃取cookie并与一个网站，名字登录？结果
要点：始终使用上登录的Cookie SSL加密（requireSSL = TRUE），而不是放在饼干（cacheRolesInCookies = FALSE）

I also follow the answers from this question: Can some hacker steal the cookie from a user and login with that name on a web site?
Main points: always use ssl encryption on login cookies (requireSSL=true), and not place roles on cookies (cacheRolesInCookies=false).

我也阻止了系统/程序/ IIS里面黑色列出的IP地址，但在此之前，我有一段时间了的PeerGuardian使用。也有，你可以找到很多，你可以在高级阻止坏的IP列表。我对这个坏IPS仅说明的是，我不阻止他们永远，但只有一些日子。坏的IPS模块助我也有垃圾邮件百元。
http://phoenixlabs.org/pg2/

I also block black listed ips from inside the system/program/iis, but before that I have use for some times the the PeerGuardian. Also there you can find a lot of bad ip lists that you can block in advanced. My only note on this bad ips is that I do not block them for ever, but only for some days. The block of bad ips helps me also with the hundred of spam emails. http://phoenixlabs.org/pg2/

我认为，有一些人能想到，并试图穿透您的网站很多方面。问题的关键是你如何predict他们，记录他们，他们发生之前，并总是一个更好的机制，以避免它们。正如我所说，我监视页面没有找到，而内部错误页面抛出。这2显示认为我很多穿透的尝试。

I think that there are many ways that people can think and try to penetrate on your site. The point is how you can predict them and log them before they happens and make always a better mechanism to avoid them. As I say, I monitor the page not found, and the inside error that pages throws. This 2 thinks show me a lot of penetrate tries.

如果你有给上传文件，图像和其他东西的访问，确保他们不能上传目录运行。这可以通过双击来完成醚检查文件的扩展名，也被禁止在该目录下的程序和脚本运行，从服务器它的自我，而且还通过放置一个web.config的上传目录有：

If you have give access to uploading files, images and other stuff make sure that they can not be run on the uploading directory. This can be done ether by double check the extension of the file and also by disable the running of programs and script on that directory, from the server it self, but also by placing a web.config on the upload directory with :

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

阅读一个案例：
<一href=\"http://stackoverflow.com/questions/4288362/ive-been-hacked-evil-aspx-file-uploaded-called-aspxspy-theyre-still-trying\">I've被黑客入侵。邪恶的aspx文件上传的名为AspxSpy。他们还在努力。帮助我捕捉它们！

这篇关于preparing一个ASP.Net网站渗透测试的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！