书籍名称:Web安全设计之道 -.NET代码安全,界面漏洞防范与程序优化 | |
.NET安全审核检查表 | |
检查项 | 任务描述 |
设计环节 | |
| Security descisions should not rely on client-side validations; they are made on the server side. |
| |
| The Web site is partitioned into public access areas and restricted areas that require authentication access. Navigation between these areas should not flow sensitive credentials information.cookie1=personal info; path="/public" cookies2=crfedential ifno; path="/secure" |
| |
| The indentities used to access remote resource from ASP.net web applications are clearly identified. |
| |
| Mechanisms have been identified to secure credentials,authentication tickets, and other sensitive information over network and in persistent stores.问题一: .NET 有针对ConnectionString 加密组件,VSS SQA Assets\Project Assets\...CryptoUtility.rar.问题二: 专门对Cookie 进行保护的?https://msdn.microsoft.com/zh-cn/library/zdh19h94(v=vs.80).aspx |
| A secure approach to exception management is identified. The application fails securely in the event of exceptions. |
| The site has granular authorization checks for pages and directories. |
| Web controls, user controls, and resource access code are all partitioned in their own assemblies for granular security. |
| |
应用条件分类 | |
| |
| User input is validated for type, length, format, and range.Input is checked for known valid and safe data and then for malicious dangerous data. 有效安全的输入, 需要注意的地方有: public 方法的参数(GL:?) 所有来自非信任源的输入字段应该用函数或者正则表达式来约束。 |
| String form field input is validated using regular expressions. |
| Regular HTML controls, query string, cookies, and other forms of input are validated. |
| |
| The RequiredFieldVaildator control is used where data must be controls. |
| |
| Free form input is sanitized to clean malicious data.For example, HttpUtility.HtmlEncode and HttpUtility.UrlEncode. |
| |
| Input file names are well formed and are verifiably valid within the application context. |
| |
| Output that includes input is encodeed with HtmleEncode and UrlEncode.<%Response.Write(Server.HTMLEncode("..."))%> |
| MapPath restricts cross-application mapping where appropriate. 如果我们使用MapPath将虚拟路径映射到一个物理路径,那么应当重载Request.MapPath.它接受一个布尔参数, 就可以避免交叉应用映射(corss-application mapping)。 |
| Character encoding is set by the server(ISO-8859-1 is recommended/UFT 8?) |
| |
| The ASP.Net Version1.1 validatedRequest option is enabled. |
| |
| URL Scan 需要安装到Web服务器。 |
| |
| HttpOnly cookie的选项防止客户端跨站攻击(IE6.1 以上的版本才支持) |
| |
| SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection. |
| |
| |
认证安全审查(适用于安全工程师) | |
| |
| Site is partitioned to restricted areas and public areas.Web.config setting the access public pages and restricted pages. |
| |
| Absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders. |
| |
| Secure Sockets Layer(SSL) is used to proted credentials and authentication cookies. |
| |
| The slidingExpiration attribute is set to "false" and limited authentication cookie time-outs are used where the the cookie is not protected by using SSL. |
| |
| The forms authentication cookie is restricted to HTTPS connections by using the requireSSL attribute or the secure cookie property. |
| 在HTTPS 连接时使用reireSSL 属性或者安全cookie 属性来限制认证信息的cookie. |
| |
| The authentication cookie is encrypted and integrity checked(protection="All"). |
| |
| Authentication cookies are not persisted. |
| |
| Application cookies have unique path/name combinations. |
| |
| Personalization cookies are separate from authentication cookies. |
| |
| Passwords are not stored directly in the user store; password digests with salt are stored instead. |
| |
| The impersonation credentials(if using a fixed identity) are encrypted in the configuration file by using Aspnet_setreg.exe |
| |
| Strong password policies are implemented for authentication. 例如:用户密码必须达到7个字符长度,同时应该至少包含数字和字符。 |
| |
| The<credentials> element is not used inside<forms> element for Forms authetication(use it for testing only) |
| |
授权验证审查 | |
| URL authrization is used for page and directory access control. |
| File authorization is used with Windows authentication.(使用Windows 认证方式时应该注意检查NTFS权限) |
| Principal permission demand are used to secure access to classes and members. Explicit role checks are used if fine-grained authorization is required. |
| |
配置信息审查 | |
| Configuration file retrieval is blocked by using HttpForbiddenHandler |
| A least-privileged account is used to run ASP.NET. |
| Custom account credentials(if used) are encrypted on the <processModle> element by using Aspnet_setreg.exe |
| To enforce machine-wide policy, Webconfig setting are locked by using allowOverride="false" in Machine.config. |
| SSL is used to protect sensitive data on the wire. |
| Sensitive data is not passed across pages; it is maintained using server-side state management. |
| Sensitive data is not stored in cookies, hidden form fields, or query strings. |
| Do not cache sensitive data. Output caching is offby default. |
| Plain text passwords are avoided in Web.config and Machine.config files.(Aspnet_setreg.exe is used to encrypt credentials.) |
| |
会话状态的审查 | |
| The session cookie is protected using SSL on all pages that require authenticated access. |
| Windows authertication is used to connect to Microsoft SQL ServerAtm state database. |
| 在SQL server限制对状态数据的访问 |
| Connection strings are encrypted by using Aspnet_setreg.exe |
| The conmmunication channel to state store is encrypted(IPSec or SSL) |
参数形式审核 | |
| View state is protected using message authentication codes(MACs) |
| Query strings with server secrets are hashed. |
| All input parameters are validated. |
| Page.ViewStateUserKey is used to counter one-click attacks. |
| |
错误信息审核 | |
| Structured exception handling is used. |
| Exception details are logged on the server. |
| Generic error pages with harmless message are returned to the client. |
| Page-level or application-level error handlers are implemented |
| The application distinguishes between errors and exception conditions. |
日志处理功能审核 | |
| 配置ASP.NET进程, 以便允许在运行时新建事件源, 或在安装时创建应用程序事件源。 |
配置文件审核(适用于开发人员) | |
| 在生产服务器上禁用跟踪 <trace enabled ="false"> |
| 通过设置debug="false",在生产服务器上禁用调试编译 |
| 如果应用程序不使用查看状态, 应将enableViewState 设置为"false" 如果应用程序使用查看状态,应将enableViewState 设置为"true",并将 enableViewStateMac设置为"true"以便检测查看状态的篡改 |
| 将自定义的错误页返回客户端,并通过设置mode="on",防止返回例外详细信息, 由defaultRedirect属性来指定一般错误页面。 |
| 正确配置身份验证模式,以满足应用程序的要求。要强制使用特定的身份验证类型,可以使用带有allowOverride="false"的<location>元素 |
| 对网站进行划分,以便进行公共的和受限制的访问 对身份验证cookie进行加密, 并检查其完整性 身份验证cookie 需要将SSL 状态设置为true 如果不使用SSL,则应将滑动期限设置为false 会话生存时间需要进行限制 cookie的名称和路径是惟一的。 |
| 如果使用模拟标识, 可以通过使用Aspnet_setreg.exe在注册表中对其进行加密。 |
| 验证角色名称的格式是否正确 |
| 在同一台Web服务器上部署多个ASP.NET web 应用程序时,应使用"Isolate.Apps"设置, 以确保为每个Web应用程序生成单独的密钥。 |
| 如果mode="StateServer",凭据是以加密的形式存储在注册表中,如果mode="SQLServer",则使用Windows身份验证连接到状态存储数据库,并且凭据是以加密的形式存储在注册表中。 |
| 将不用的文件类型映射到HttpForbiddenHandler, 防止通过HTTP方式检索文件, |
| 用最低权限的账户 |
| 禁用不使用的协议 |
| |
Web Farm审核 | |
| 维护会话状态 会话状态的作用是为了避免服务器的相似性,应该在进程外维护ASPNET的会话状态。 比如, ASPNET SQL Server的状态数据库和远程计算机上的进程外状态服务中应该考虑维护会话状态。 |
| 加密和验证密钥 |
一机多用审核 | |
| 使应用程序有独特的计算机密钥,使用<machineKey>上的IsolateApp或者每个应用程序的<machineKey>元素 |
| 启用每个应用程序的表单身份验证Cookie的唯一路径/名称组合 |
| Web Farm中的所有服务器上的启用公共计算机密钥 |
| 使用代码访问安全信任级别进行进程隔离,并限制对系统资源的访问。 |
ACL和Permiss ions权限审核 | |
| ASPNET临时目录,临时目录,.NET框架目录 .NET框架配置目录 网站根目录 系统根目录 全局程序集缓存 内容目录 |
应用程序BIN目录安全审核 | |
| 配置IIS Web 权限 将执行权限设置为None 需要注意的是Bin目录没有读取,写入,或者目录浏览权限。 |
| |
| 为禁止用户访问,可以将关于身份验证的设置全部删除。 |
| |