Abstract:

The program does not set the HttpCookie.HttpOnly property to true.

Explanation:

The default value for the httpOnlyCookies attribute is false, meaning that the cookie is accessible through a client-side script.

This is an unnecessary cross-site scripting threat, resulting in stolen cookies. Stolen cookies can contain sensitive information

identifying the user to the site, such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the

attacker in order to masquerade as the user or obtain sensitive information.

Example 1: Vulnerable configuration:

<configuration>

<system.web>

<httpCookies httpOnlyCookies="false">

Recommendations:

Microsoft Internet Explorer version 6 Service Pack 1 and later supports a cookie property, HttpOnly, that can help mitigate crosssite

scripting threats that result in stolen cookies. Stolen cookies can contain sensitive information identifying the user to the site,

such as the ASP.NET session ID or forms authentication ticket, and can be replayed by the attacker in order to masquerade as the

user or obtain sensitive information. When an HttpOnly cookie is received by a compliant browser, it is inaccessible to clientside

script.

Example 2: Here see the secure configuration. Any cookie marked with this property will be accessible only from server-side

code, and not to any client-side scripting code like JavaScript or VBScript. This shielding of cookies from the client helps to

protect Web-based applications from cross-site scripting attacks. A hacker initiates a cross-site scripting (also called CSS or

XSS) attack by attempting to insert his own script code into the Web page to get around any application security in place. Any

page that accepts input from a user and echoes that input back is potentially vulnerable.

<configuration>

<system.web>

<httpCookies httpOnlyCookies="true">

Tips:

1. It is possible to enable HttpOnly programmatically on any individual cookie by setting the HttpOnly property of the

HttpCookie object to true. However, it is easier and more reliable to configure the application to automatically enable HttpOnly

for all cookies. To do this, set the httpOnlyCookies attribute of the httpCookies element to true.

2. Setting the HttpOnly property to true does not prevent an attacker with access to the network channel from accessing the

cookie directly. Consider using Secure Sockets Layer (SSL) to help protect against this. Workstation security is also important,

as a malicious user could use an open browser window or a computer containing persistent cookies to obtain access to a Web site

with a legitimate user's identity.

web.config中的HttpCookie.HttpOnly属性的更多相关文章

  1. WCF项目问题2-无法激活服务,因为它需要 ASP.NET 兼容性。没有未此应用程序启用 ASP.NET 兼容性。请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibilityRequirementsAttribute.AspNetCompatibilityRequirementsMode 属性设置为 Required 以外的值。

    无法激活服务,因为它需要 ASP.NET 兼容性.没有未此应用程序启用 ASP.NET 兼容性.请在 web.config 中启用 ASP.NET 兼容性,或将 AspNetCompatibility ...

  2. web.config中配置页面出错后跳转指定错误页面

    每当用户访问错误页面时,会出现不友好的404错误,所以为了防止这种不友好,我们在web.config中的<system.web>节点下配置 <customErrors>,在出现 ...

  3. ASP.Net Web.config 中引用外部config文件

    1. 前提准备: Web.config file: <?xml version="1.0" encoding="utf-8"?><config ...

  4. web.config中sessionState节点的配置方案

    web.config中sessionState节点的配置方案 web.config关于sessionState节点的配置方案,sessionState有五种模式:Custom,off,inProc,S ...

  5. web.config中<customErrors>节点

    错误提示: “/”应用程序中的服务器错误.------------------------------------------------------------------------------- ...

  6. web.config中configSections section节 -Z

    由于最近一个项目的数据库变动比较频繁, 为了减少数据层的负担, 打算采用.net的MVC框架, 使用LINQ对付数据层.       这个框架的web.config文件里出现了configSectio ...

  7. ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法

    ASP.NET web.config中数据库连接字符串connectionStrings节的配置方法 第一种情况,本地开发时,使用本地数据库,如下面的代码 <connectionStrings& ...

  8. web.config中的InProc模式 与 StateServer模式[转]

    开发asp.net应用时,修改web.config中的SessionState节点. <sessionState mode="StateServer" stateConnec ...

  9. asp.net mvc 3 配置全局错误处理 Web.config中设置CustomError

    摘自: http://www.myexception.cn/web/1130191.html asp.net mvc 配置全局异常处理 Web.config中设置CustomError Web.con ...

随机推荐

  1. CocoaPods使用详细说明

    使用说明: 原文:http://blog.csdn.net/lizhongfu2013/article/details/26384029 http://blog.csdn.net/showhillle ...

  2. bzoj1091: [SCOI2003]切割多边形

    Description 有一个凸p边形(p<=8),我们希望通过切割得到它.一开始的时候,你有一个n*m的矩形,即它的四角的坐标分别为(0,0), (0,m), (n,0), (n,m).每次你 ...

  3. HDU 2222 关键词查找

    题目大意:给出一篇文章,长度最多1000000,若干个关键词,关键词有可能重复.关键词不超过10000,每个关键词不超过50个字符.请问该文章包含多少个关键词. 这是AC自动机的入门题.首先将关键词分 ...

  4. HTML DOM元素的Dragdrop

    在前端web页面中,为了提高用户体验,通常会希望将页面中的元素设计成可dragdop的,简化用户操作.这一设计特性在缺少鼠标的触摸屏设备上,显得更为重要. 在早期的应用中,我们通常需要借助第三方的ja ...

  5. 在macos上利用vmware fusion安装Ubuntu

    1. 安装vmware fusion http://www.vmware.com/products/fusion 下载以后,可以在网上找注册码,最好下载最新的,这里下载的是7的版本 2. 下载ubun ...

  6. POJ 2528 Mayor's posters(线段树+离散化)

    Mayor's posters 转载自:http://blog.csdn.net/winddreams/article/details/38443761 [题目链接]Mayor's posters [ ...

  7. [转]细说Redis监控和告警

    原文  https://zhuoroger.github.io/2016/08/20/redis-monitor-and-alarm/? 对于任何应用服务和组件,都需要一套完善可靠谱监控方案. 尤其r ...

  8. EventBus--介绍

    注意: 1,post()方法里面的类型和onEvent()中的类型要一致., 2,订阅者对象中 必须有 onEvent 的 public 方法     ---public void onEvent(O ...

  9. Windows消息机制知识点总结

    1.windows消息类型 以下四种,前三种是系统消息,范围在[0x0000, 0x03ff],第四种是用户自定义消息. 1.1 窗口消息 与窗口的内部运作有关,如创建窗口,绘制窗口,销毁窗口等.可以 ...

  10. sencha touch百度地图扩展

    扩展代码如下: Ext.define('ux.BMap', { alternateClassName: 'bMap', extend: 'Ext.Container', xtype: 'bMap', ...