Today we will be learning about the ASP.net MisConfiguration Vulnerability which is found in most of the ASP.net Webpages .
Asp.net application can be configured to produce debug binaries . These binaries give detailed debugging messages and should not be used in production environments. The debug attribute of the <compilation> tag defines whether complied binaries should include debugging information . Symbols (.pdb) files tell the debugger how to find the original source file for a binary , and how to map breakpoints in code to lines in those source files .
The use of debug binaries causes an application to provide as much information about itself as possible to the user . Debug binaries are meant to be used in a development or testing environment and can pose a security risk if they are deployed to production . Attackers can get the additional information they gain from debugging out to mount attacks targeted on the framework , database , or other resources about the application which they are using
How to identify this vulnerability ???
For identifying this vulnerability you need to search for the
following pattern in System.web in Web.config file at application
root directory
<configuration><compilation debug="true"/></configuration>
How to fix this Vulnerability ??
You can fix this loophole by enabling custom error pages . Custom
error messaes will prevent attackers from mining information from
the framework's built-in error responses.
You can enable the Custom error pages by including the following code in the web.config file
<customErrors mode="on"/>
You can disable the Custom error pages by including the following code in the web.config file
<customErrors Mode="off"/>
1 comments:
nice one bro :)
Post a Comment