Abstract:

The program does not set the HttpCookie.HttpOnly property to true.

Explanation:

The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

attacker in order to masquerade as the user or obtain sensitive information.

Example 1: Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Recommendations:

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

script.

Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

page that accepts input from a user and echoes that input back is potentially vulnerable.

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Tips:

1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

with a legitimate user's identity.

web.config中的HttpCookie.HttpOnly属性的更多相关文章

  1. WCF项目问题2-无法激活服务,因为它需要 ASP.NET 兼容性。没有未此应用程序启用 ASP.NET 兼容性。请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibilityRequirementsAttribute.AspNetCompatibilityRequirementsMode 属性设置为 Required 以外的值。

    无法激活服务,因为它需要 ASP.NET 兼容性.没有未此应用程序启用 ASP.NET 兼容性.请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibility ...

  2. web.config中配置页面出错后跳转指定错误页面

    每当用户访问错误页面时,会出现不友好的404错误,所以为了防止这种不友好,我们在web.config中的<system.web>节点下配置 <customErrors>,在出现 ...

  3. ASP.Net Web.config 中引用外部config文件

    1. 前提准备: Web.config file: <?xml version="1.0" encoding="utf-8"?><config ...

  4. web.config中sessionState节点的配置方案

    web.config中sessionState节点的配置方案 web.config关于sessionState节点的配置方案,sessionState有五种模式:Custom,off,inProc,S ...

  5. web.config中<customErrors>节点

    错误提示: “/”应用程序中的服务器错误.------------------------------------------------------------------------------- ...

  6. web.config中configSections section节 -Z

    由于最近一个项目的数据库变动比较频繁, 为了减少数据层的负担, 打算采用.net的MVC框架, 使用LINQ对付数据层.       这个框架的web.config文件里出现了configSectio ...

  7. ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法

    ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法 第一种情况,本地开发时,使用本地数据库,如下面的代码 <connectionStrings& ...

  8. web.config中的InProc模式 与 StateServer模式[转]

    开发asp.net应用时,修改web.config中的SessionState节点. <sessionState mode="StateServer" stateConnec ...

  9. asp.net mvc 3 配置全局错误处理 Web.config中设置CustomError

    摘自: http://www.myexception.cn/web/1130191.html asp.net mvc 配置全局异常处理 Web.config中设置CustomError Web.con ...

随机推荐

  1. HackerRank "Flatland Space Stations"

    A bit Greedy can achieve O(m) - the mid station between 2 adjacent cities has the longest distance w ...

  2. MYSQL-用户权限的验证过程

    知识点 因为MySQL是使用User和Host两个字段来确定用户身份的,这样就带来一个问题,就是一个客户端到底属于哪个host. 如果一个客户端同时匹配几个Host,对用户的确定将按照下面的优先级来排 ...

  3. Debugging Maya Plugin(C++) with CodeBlocks in Linux

    My system is CentOS7 x64, Maya2015 x64 for Linux. - Make sure that your project is built with flag - ...

  4. 多表数据连接 Left join

    一个我写的实例:其中多表连接,一共连接了3个表.使用聚集函数SUM,用到了GROUP BY SELECT a.[UserID],b.[Name],sum (c.[Money]+c.[Bank])as  ...

  5. Hadoop总结篇之五---模块间是怎么驱动执行的

    在MRv1中,各个模块间驱动运行的方式是函数调用的方式.这是同步的过程,上一模块调用下一模块函数后,等待其执行.效率不高. 在MRv2中做了改进,yarn基于事件驱动的并发模型.在详细介绍前,先看下图 ...

  6. 使用Group By注意事项

    当查询中存在group by子句时,select列表(或是having子句)中只能存在分组函数,或是出现在group by子句中的字段. 这里说的,"出现在group by子句中的字段&qu ...

  7. pjax技术的应用

    一.什么是PJAX? 现在有一些网站(apicloud,  github)支持这样一种浏览方式,当你点击站内的一个连接的时候,不是传统的跳转到另外一个连接,而是类似ajax的局部刷新改变页面内容,但是 ...

  8. Python基础语法(二)

    类中的方法定义前如果有 @staticmethod 则此方法通过类名调用,如:dict.fromkeys() : 如果没有,则此方法通过对象调用 三元运算 name=值1 if 条件 else 值2  ...

  9. [ActionScript 3.0] AS3.0和AS2.0的相互通信

    AS3和AS2之间的通信,最好的方式可能就是LocalConnection了. AS2向AS3发送数据,即AS2调用AS3的函数: as2.0代码(按钮上写的发送信息代码): on (release) ...

  10. [转]理解HTTP幂等性

    基于HTTP协议的Web API是时下最为流行的一种分布式服务提供方式.无论是在大型互联网应用还是企业级架构中,我们都见到了越来越多的SOA或RESTful的Web API.为什么Web API如此流 ...