Abstract:

The program does not set the HttpCookie.HttpOnly property to true.

Explanation:

The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

attacker in order to masquerade as the user or obtain sensitive information.

Example 1: Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Recommendations:

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

script.

Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

page that accepts input from a user and echoes that input back is potentially vulnerable.

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Tips:

1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

with a legitimate user's identity.

web.config中的HttpCookie.HttpOnly属性的更多相关文章

  1. WCF项目问题2-无法激活服务,因为它需要 ASP.NET 兼容性。没有未此应用程序启用 ASP.NET 兼容性。请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibilityRequirementsAttribute.AspNetCompatibilityRequirementsMode 属性设置为 Required 以外的值。

    无法激活服务,因为它需要 ASP.NET 兼容性.没有未此应用程序启用 ASP.NET 兼容性.请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibility ...

  2. web.config中配置页面出错后跳转指定错误页面

    每当用户访问错误页面时,会出现不友好的404错误,所以为了防止这种不友好,我们在web.config中的<system.web>节点下配置 <customErrors>,在出现 ...

  3. ASP.Net Web.config 中引用外部config文件

    1. 前提准备: Web.config file: <?xml version="1.0" encoding="utf-8"?><config ...

  4. web.config中sessionState节点的配置方案

    web.config中sessionState节点的配置方案 web.config关于sessionState节点的配置方案,sessionState有五种模式:Custom,off,inProc,S ...

  5. web.config中<customErrors>节点

    错误提示: “/”应用程序中的服务器错误.------------------------------------------------------------------------------- ...

  6. web.config中configSections section节 -Z

    由于最近一个项目的数据库变动比较频繁, 为了减少数据层的负担, 打算采用.net的MVC框架, 使用LINQ对付数据层.       这个框架的web.config文件里出现了configSectio ...

  7. ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法

    ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法 第一种情况,本地开发时,使用本地数据库,如下面的代码 <connectionStrings& ...

  8. web.config中的InProc模式 与 StateServer模式[转]

    开发asp.net应用时,修改web.config中的SessionState节点. <sessionState mode="StateServer" stateConnec ...

  9. asp.net mvc 3 配置全局错误处理 Web.config中设置CustomError

    摘自: http://www.myexception.cn/web/1130191.html asp.net mvc 配置全局异常处理 Web.config中设置CustomError Web.con ...

随机推荐

  1. InstallShield打包设置相对路径

    InstallShield打包设置相对路径 在使用Installshield 打包安装文件时,添加打包文件时默认使用绝对路径,但是工程文件转移时(复制到其它位置时)编译时就会找不到安装文件,这样很不方 ...

  2. 扫描二维码自动识别手机系统(Android/IOS)

    移动互联网发展迅速,各种APP的开发都会推出多个版本(多终端),比如:iPhone版.iPad版.Android版.有些APP还会考虑覆盖到多个国家(国际化),比如:中文版.英文版.日文版.韩文版等. ...

  3. JAVA 取得当前目录的路径/Servlet/class/文件路径/web路径/url地址

    在写java程序时不可避免要获取文件的路径...总结一下,遗漏的随时补上 1.可以在servlet的init方法里 String path = getServletContext().getRealP ...

  4. vue.js 2.0开发(3)

    组件化 Vue.component('todo-items',{ }); 定义组件,首先是标签的名字todo-items,然后里面还要配置一些选项,首先是我们的模板template,里面需要填入的内容 ...

  5. three.js学习笔记

    一.名词解释 scene - 场景 camera - 摄影机 renderer - 渲染器:描绘器 Vector - 三维向量的对象 orthographic - 正射 field of view - ...

  6. JNI相关知识

    JNI(Java Native Interface,JAVA原生接口) 使用JNI可以使Java代码和其他语言写的代码(如C/C++代码)进行交互. 问:为什么要进行交互? |-  首先,Java语言 ...

  7. w3svc服务启动 不了,错误 1068:依赖服务或组件无法启动

    win10系统,装了iis就是启动不了,报错误 1068:依赖服务或组件无法启动. 各种实验无法使用,最后如下方法解决 运行命令regedit,打开注册表编辑器,进入:HKEY_LOCAL_MACHI ...

  8. SQL Server备份脚本

    declare @bakfile varchar(30), @bakfilediff varchar(30),@pathfull varchar(50),@pathdiff varchar(50)se ...

  9. dsquery、netdom工具示例

    C:\>netdom query fsmo架构主机               DC1.lypower.com.cn域命名主机        DC1.lypower.com.cnPDC      ...

  10. 许小年:宁可踏空,不可断粮<转>

    http://www.daonong.com/g/25/xsqy/2014/0716/51074.html 文│许小年 中欧国际工商学院教授 为什么我们企业的创新能力长期处于低水平呢? 深入观察,内心 ...