This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "CRV2 FrameworkSpecIssuesASPNetConfigs"

From OWASP
Jump to: navigation, search
Line 51: Line 51:
  
 
==References==
 
==References==
 +
 +
MSDN, 2013 "Securing ASP.NET Configurations" available at http://msdn.microsoft.com/en-us/library/ms178699%28v=vs.100%29.aspx (Last Viewed, 25th July 2013)

Revision as of 11:59, 25 July 2013

Introduction

Securing resources in ASP.NET applications is a combination of configuration settings in the Web.config file but also, its important to remember that the IIS configurations play also a big part on this. It's an integrated approach which provides a total framework of security. The following highlights the most important aspects of ASP.NET configuration settings within the web.config file. For a total overview see chapter ASP.NET security (https://www.owasp.org/index.php/CRV2_FrameworkSpecIssuesASPNet)

Secure Configuration Values

Sensitive Information saved in config files should be encrypted. Encryption keys stored in the machineKey element for example or connectionstrings with username and passwords to login to database.

Lock ASP.NET Configuration settings

You can lock configuration settings in ASP.NET configuration files (Web.config files) by adding an allowOverride attribute to a location element

Configure directories using Location Settings

Through the <location> element you can establish settings for specific folders and files. The Path attribute is used to specify the file or subdirectory. This is done in the Web.config file example: 

<location path="." >
   <section1 .../>
   <section2 ... />
 </location>
 <location path="Default Web Site" >
   <section1 … />
   <section2 … />
 </location
 <location path="Default Web Site/MyApplication/Admin/xyz.html" >
   <section1 ... />
   <section2 ... />
 </location>

Configure exceptions for Error Code handling

Showing and handling the correct error code when a user sends a bad request or invalid parameters is an important configuration subject. Logging these errors are also an excellent help when analyzing potential attacks to the application.


It is possible to configure these errors in the code or in the Web.Config file

The HttpException method Describes an exception that occurred during the processing of HTTP requests.For example: 

if (string.IsNullOrEmpty(Request["id"]))
    throw new HttpException(400, "Bad request");


or in the Web.config file: 


<configuration>
 <system.web>
   <customErrors mode="On" defaultRedirect="ErrorPage.html" 
                redirectMode="ResponseRewrite">
     <error statusCode="400" redirect="BadRequest.html" />
     <error statusCode="404" redirect="FileNotFound.html" />
   </customErrors>
 </system.web>
</configuration>

References

MSDN, 2013 "Securing ASP.NET Configurations" available at http://msdn.microsoft.com/en-us/library/ms178699%28v=vs.100%29.aspx (Last Viewed, 25th July 2013)

Retrieved from "https://wiki.owasp.org/index.php?title=CRV2_FrameworkSpecIssuesASPNetConfigs&oldid=156019"