[Owasp-delhi] Fw: Owasp-delhi Digest, Vol 27, Issue 8
nileshkumar83 at gmail.com
nileshkumar83 at gmail.com
Wed Oct 28 09:59:47 EDT 2009
Hi Angad,
Thankyou for writing to me.
>
> In case of application specific to Asp.net there are additional control
> points which one can have in the application like the parameters in
> web.config such as HTTPOnly for protecting against the Cross site
> scripting attack and cross site tracing. Apart from couple of settings in
> web.config there are alot of things such as code base access and
> impersonation.
>
> So i have a smiple query do u guys recommand these settings in your company
> to your client or not. and secondly do we have any automated tools available
> to check for these settings?
>
>
The answer is yes we recommend (and actually must) depending on the
vulnerability found in ASP.NET application. This is a good practice if you
are going to be more helpful to the client for fixing up the flaws.
For example for error handling you can suggest them to have this kind of
into the web.config file:
<customErrors mode="RemoteOnly"defaultRedirect="~/errors/GeneralError.aspx" />
Or even for viestate encryption you might set the following:
<pages theme="Default" viewStateEncryptionMode="Always"
enableViewStateMac="true"></pages>
Regarding any tool for checking the settings in web.config I am not aware
of,if any.
Hope I have answered your question,if any query,please feel free to revert
back.
--
Thanks & Regards,
Nilesh Kumar,
Engineer-Security| Honeywell Technology Solutions
http://www.honeywell.com/
www.nileshkumar83.blogspot.com
www.linkedin.com/in/nileshkumar83
Mobile- +91-9019076487
*_______________________________Honeywell *
*Honeywell Technology Solutions Lab*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20091028/0326d887/attachment.html
More information about the Owasp-delhi
mailing list