IBM AppScan???????????????.net??
???????????? ???????[ 2015/11/17 13:40:00 ] ?????????????????? AppScan
??????????????????????
????1????? SQL ?????????·2
????2??????????????3
????3?????????????????1
????4???????δ????2
????5???????????α??1
????6??Missing "Content-Security-Policy" header 9
????7??Missing "X-Content-Type-Options" header 9
????8??Missing "X-XSS-Protection" header 9
????9??????н???????????1
????10???????? Microsoft ASP.NET ????2
????11?????????????????1
????12???????? __VIEWSTATE ????1
????13???????ó?????????1
????14????ó??????9
????15?????????3
???????????
????1????? SQL ?????????·
?????? ????????????????????????sql?????????????
???????????楨?????????????????sql?????????????
????// ?????
????string StrKeyWord = @"select|insert|delete|from|count(|drop table|update|truncate|asc(|mid(|char(|xp_cmdshell|exec master|netlocalgroup administrators|:|net user|""|or|and";
????//??????
????string StrRegex = @"[-|;|??|/|(|)|[|]|}|{|%|@|*|!|']";
??????????????? ??????????????sql????????????
????2??????????????
?????????????????SSL??飬?????н????
????3?????????????????
??????????????????????????????????????????????????????????磺???????????????????????????????????????????
????4???????δ????
??????????????????????????????????檔
?????ο??????? http://www.2cto.com/Article/201302/190228.html ???????Ч??
????http://blog.itpub.net/12639172/viewspace-441971/ ????ok
??????????棬???????????
????protected void Page_Load(object sender?? EventArgs e)
????{
????if (!IsPostBack)
????{
????Session.Abandon();
????//???SessionId
????Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId"?? ""));
????txt_Fileld1.Focus();
????}
????}
????5???????????α??
????????????????????ж????????????????????????????
????????ο???????
????1??????referer?ж??
????????????п????????????????????????????? Referer??????????????????????????
????2????????????? token ?????
??????????????????з???????????α???????????????????????? cookie ??У?
???????????????????????????????????form??hidden????У?form?????????????????顣
????6??Missing "Content-Security-Policy" header
?????? ??web.config ????????????????????
????<system.webServer>
????<httpProtocol>
????<customHeaders>
????<add name="X-Content-Type-Options" value="nosniff"/>
????<add name="X-XSS-Protection" value="1;mode=block"/>
????<add name="X-Frame-Options" value="SAMEORIGIN"/>
????<add name="Content-Security-Policy" value="default-src 'self'"/>
????</customHeaders>
????</httpProtocol>
????</system.webServer>
????7??Missing "X-Content-Type-Options" header
?????? ??web.config ???????????????????????????? ??6 ??????
????<add name="X-Content-Type-Options" value="nosniff"/>
????8??Missing "X-XSS-Protection" header
?????? ??web.config ???????????????????????????? ??6 ??????
????<add name="X-XSS-Protection" value="1;mode=block"/>
????9??????н???????????
??????δ???
????10???????? Microsoft ASP.NET ????
????????ó????????????????????compilation ?????? debug? false??
????<compilation debug="false" targetFramework="4.0"/>
????11?????????????????
????????web.config ???????????????????????????? ??6 ??????
????<add name="Content-Security-Policy" value="default-src 'self'"/>
??????????????????????????????????????????????в???????????磬?????????????????css??Ч??
????12???????? __VIEWSTATE ????
????????web.config ???????????? pages ??????viewStateEncryptionMode ?Always??
????<pages controlRenderingCompatibilityVersion="3.5" clientIDMode="AutoID" viewStateEncryptionMode="Always" />
????13???????ó????????
?????? ?????????????У??????????棬???????????“??????????”?????????
????14????ó??????
????????????ó????????檔
?????? ??Server Error in '/' Application.
???????????????????????ó???????????????????????????????????
????<customErrors mode="On" defaultRedirect="~/error.html" />
????15?????????
????????????????????url?е?????? ????????????????緶Χ??
?????? /ApplyShow.aspx?id=99999999999999999999
????????????????水???????????????????δ??????????
????http://localhost:83/login.aspx ??壺 ImgbtnDl.y (Parameter)
????16??WebResource.axd
????WebResources.axd?d=xyz??
????WebResource.axd?????????????????????????d=xyz?е?xyz??????500????????????????????404????????γ??????????
?????ο??????
????http://www.2cto.com/Article/201009/75162.html
????http://pan.baidu.com/share/link?shareid=3851057069&uk=2164275402
????http://www.cnblogs.com/JeffreyZhao/archive/2010/09/25/things-about-padding-oracle-vulnerability-in-asp-net.html
????http://www.cnblogs.com/shanyou/archive/2010/09/25/1834889.html Padding Oracle Attack ?????
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11