Monday, April 11, 2011

ASP.NET Misconfigurations Vulnerability


Today we will be learning about the ASP.net MisConfiguration Vulnerability which is found in most of the ASP.net Webpages .
Asp.net application can be configured to produce debug binaries . These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether complied binaries should include debugging information . Symbols (.pdb) files tell the debugger how to find the original source file for a binary , and how to map breakpoints in code to lines in those source files . 
The use of debug binaries causes an application to provide as much information about itself as possible to the user . Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production . Attackers can get the additional information they gain from debugging out to mount attacks targeted on the framework , database , or other resources about the application which they are using

How to identify this vulnerability ??? 

For identifying this vulnerability you need to search for the 

following pattern in System.web in Web.config file at application 

root directory 


<configuration>
<compilation debug="true"/>
</configuration>

How to fix this Vulnerability ?? 

You can fix this loophole by  enabling  custom error pages . Custom

error messaes will prevent attackers from mining information from 

the framework's built-in error responses.


You can enable the Custom error pages by including the following code in the web.config file
<customErrors mode="on"/>
You can disable the Custom error pages by including the following  code in the web.config file
<customErrors Mode="off"/>

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Vamshi krishnam raju | Bloggerized by Vamshi krishnam raju - Vamshi krishnam raju | Vamshi krishnam raju