什么是非标准的HTTP动词QUOT; DEBUG"在ASP.NET/IIS用来做什么? [英] What is the non-standard HTTP verb "DEBUG" used for in ASP.NET/IIS?
问题描述
我读从一个Web应用安全的公司,其中已经扫描我的工作,为公司的几个网站的报告。这似乎从报告 - 这似乎没有任何人为参与编写的 - 这几次试图在这里提出使用要求这样打破我们的网站:
I am reading a report from a "web application security" company, whom have been scanning a few websites of the company I am working for. It appears from the report - which seems written without any human involvement - that several attempts where made to break our sites using requests like this:
DEBUG /some_path/some_unexisting_file.aspx
Accept: */*
More-Headers: ...
从我们的服务器,结果让我吃惊:
The result from our server surprises me:
HTTP/1.1 200 OK
Headers: ...
由于 DEBUG 似乎并没有被在的 HTTP 1.1规范我本来期望得到的结果是 400错误的请求或 405不允许的方法
As DEBUG does not seem to be mentioned anywhere in the HTTP 1.1 specification I would have expected the result to be 400 Bad Request or 405 Method Not Allowed.
DEBUG 动词用的是某种形式的ASP.NET应用程序的远程调试使用,但不是很多细节都在这个问题或它的答案。
From earlier question on SO, I have learned that the DEBUG verb is used in some sort of remote debugging of ASP.NET applications, but not many details are available in that question or its answers.
究竟是干什么用的 DEBUG 动词呢?为什么应用答案 200 OK 无效的网址中使用这个动词是什么时候?这是一个安全问题吗?是否有周围 DEBUG 动词任何潜在的安全问题,即ASP.NET开发人员/系统管理员应该知道的?
Exactly what is the DEBUG verb used for? Why does the application answer 200 OK for invalid URLs when using this verb? Is this a security problem? Are there any potential security problems surrounding the DEBUG verb, that ASP.NET developers/system administrators should be aware of?
任何见解/咨询/引用将AP preciated。
Any insights/advice/references will be appreciated.
推荐答案
http://support.microsoft.com/kb/937523
当客户端尝试自动附加调试器在ASP.NET 2.0应用程序,客户端发送一个包含DEBUG动词HTTP请求。这个HTTP请求被用来验证该应用程序的过程中正在运行,并选择正确的进程要附加
When the client tries to automatically attach the debugger in an ASP.NET 2.0 application, the client sends a HTTP request that contains the DEBUG verb. This HTTP request is used to verify that the process of the application is running and to select the correct process to attach.
它使用Windows身份验证和DCOM实际做调试,但 - 所以我不知道DEBUG谓词本身就是一个很大的安全风险(显然,如果你允许RPC通信,那么你已经有了更大问题)或任何战功。 UrlScan的确实在默认情况下阻止它,虽然。
It uses Windows authentication, and DCOM to actually do the debugging though - so I'm not aware of the DEBUG verb itself being a large security risk (obviously, if you're allowing RPC traffic, then you've got bigger problems) or of any exploits. UrlScan does block it by default, though.
我可能会穿上它网络嗅探器来检查哪些信息泄漏,虽然
I'd probably put a network sniffer on it to check what information leaks though.
这篇关于什么是非标准的HTTP动词QUOT; DEBUG"在ASP.NET/IIS用来做什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
