Abstract:

The program does not set the HttpCookie.HttpOnly property to true.

Explanation:

The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

attacker in order to masquerade as the user or obtain sensitive information.

Example 1: Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Recommendations:

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

script.

Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

page that accepts input from a user and echoes that input back is potentially vulnerable.

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Tips:

1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

with a legitimate user's identity.

web.config中的HttpCookie.HttpOnly属性的更多相关文章

  1. WCF项目问题2-无法激活服务,因为它需要 ASP.NET 兼容性。没有未此应用程序启用 ASP.NET 兼容性。请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibilityRequirementsAttribute.AspNetCompatibilityRequirementsMode 属性设置为 Required 以外的值。

    无法激活服务,因为它需要 ASP.NET 兼容性.没有未此应用程序启用 ASP.NET 兼容性.请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibility ...

  2. web.config中配置页面出错后跳转指定错误页面

    每当用户访问错误页面时,会出现不友好的404错误,所以为了防止这种不友好,我们在web.config中的<system.web>节点下配置 <customErrors>,在出现 ...

  3. ASP.Net Web.config 中引用外部config文件

    1. 前提准备: Web.config file: <?xml version="1.0" encoding="utf-8"?><config ...

  4. web.config中sessionState节点的配置方案

    web.config中sessionState节点的配置方案 web.config关于sessionState节点的配置方案,sessionState有五种模式:Custom,off,inProc,S ...

  5. web.config中<customErrors>节点

    错误提示: “/”应用程序中的服务器错误.------------------------------------------------------------------------------- ...

  6. web.config中configSections section节 -Z

    由于最近一个项目的数据库变动比较频繁, 为了减少数据层的负担, 打算采用.net的MVC框架, 使用LINQ对付数据层.       这个框架的web.config文件里出现了configSectio ...

  7. ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法

    ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法 第一种情况,本地开发时,使用本地数据库,如下面的代码 <connectionStrings& ...

  8. web.config中的InProc模式 与 StateServer模式[转]

    开发asp.net应用时,修改web.config中的SessionState节点. <sessionState mode="StateServer" stateConnec ...

  9. asp.net mvc 3 配置全局错误处理 Web.config中设置CustomError

    摘自: http://www.myexception.cn/web/1130191.html asp.net mvc 配置全局异常处理 Web.config中设置CustomError Web.con ...

随机推荐

  1. 在工作有时候centos6.5系统使用rpm包安装mysql5.7出现的问题

    首先说明一下,我用的CentOS版本是6.6,64位.打印机驱动程序是两个rpm安装包:cndrvcups-common-2.60-1.x86_64.rpm和cndrvcups-capt-2.60-1 ...

  2. kubernetes多节点部署解析

    注:以下操作均基于centos7系统. 安装ansible ansilbe可以通过yum或者pip安装,由于kubernetes-ansible用到了密码,故而还需要安装sshpass: pip in ...

  3. 黄聪:路由器WIFI连接无法正常访问个别网站及发送图片

    打开路由,路由默认MTU是1500,改成1472 就解决了

  4. 如何从eclipse中下载并导入Github上的项目

    eclipse导入项目,方法就是点击File ->Import,选择Existing Projects into Workspace 但前提是,你导入的这个项目原本就是用eclipse的构建的, ...

  5. mysql删造成表死锁研究

    现在互联网公司对于代码的管理越来越规范,一般都会有3个环境:开发环境,测试环境,正式环境.在开发环境进行开发,开发完成后将代码提交到测试环境进行测试,测试完毕后上线到正式环境. 今天在正式环境上遇到一 ...

  6. 在IT行业换一个领域

    开发做了不到两个月,就不做了.原因是自己不喜欢开发,感觉开发的东西很麻烦.也许说到麻烦,很多人都要教训我了,干什么不麻烦.我也不想反驳什么,因为失败的次数太多了,反驳也无力. 从放弃开发开始到现在,抑 ...

  7. OAF_开发系列13_实现OAF通过Vector动态查询设置(案例)

    20150715 Created By BaoXinjian

  8. oracle数据库如何创建用户并授予角色

    目标:1.  创建角色test1_role,  授予 CREATE PROCEDURE, CREATE SEQUENCE, CREATE SYNONYM, CREATE TABLE, CREATE T ...

  9. 关于Android 打开新的Activity 虚拟键盘的弹出与不弹出

    关于Android 打开新的Activity 虚拟键盘的弹出与不弹出 打开Activity 时  在相应的情况 弹出虚拟键盘 或者 隐藏虚拟键盘 会给用户非常好的用户体验 , 实现起来也比较简单 只需 ...

  10. poj 1806 Manhattan 2025

    点击打开链接 题目大意就是给定一个最大歩数,让你输出你在三维的空间中可以到达的位置的切片,注意当歩数大于9的时候就不需要输出了! #include<stdio.h> #include< ...