Preparing an ASP.Net website for penetration testing

Brian Scott picture Brian Scott · Nov 8, 2010 · Viewed 14.4k times · Source

Over the years I have had a few of the websites I have developed submitted for penetration testing by clients. Most of the time the issues that are highlighted when the results return relate to the default behaviour of ASP .Net such as possible cross site scripting attacks etc.

Are there any good articles on which vulnerabilities exist by default in an ASP .Net application and secondly are there any good checklists to follow which will help prepare a site in advance?

Answer

Aristos picture Aristos · Nov 12, 2010

I think that the check list changes by the time and its theory with experience together. I always check my log files and see new ways that they try to penetrate my site - like scans on "non existing" files, or try to run random queries.

A good page that have many articles on penetration: http://www.cgisecurity.com/pentest.html

Some of the ways that try to penetrate on my sites.

Most common

  • sql injections, so I check and block users that call my sites with the "select" command on the url line. I check also for other sql commands.
  • Forgoten javascript filebrowser I see that lately they search for links like : wwwmysite.com/plugins/editors/tinymce/jscripts/tiny_mce/plugins/tinybrowser/tinybrowser.php?type=file&folder=

To find them I monitor the "Page not found" event. Of course if page found then they penetrate. How ever its more possible to see failed tries and see what they are looking for.

Oracle attack

These days also I see a lot of oracle attacks. I find them and block the full ip of attacker using this code: CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed

Stealing cookies

I also follow the answers from this question: Can some hacker steal the cookie from a user and login with that name on a web site?
Main points: always use ssl encryption on login cookies (requireSSL=true), and not place roles on cookies (cacheRolesInCookies=false).

Block in advanced

I also block black listed ips from inside the system/program/iis, but in the past I have used PeerGuardian. Also there you can find a lot of bad ip lists that you can block in advanced. My only note on these bad ips is that I do not block them for ever, but only for some days. The block of bad ips helps me also with the hundred of spam emails. http://phoenixlabs.org/pg2/

Investigate the Log

I think that there are many ways that people can think and try to penetrate on your site. The point is how you can predict them and log them before that happens and make always a better mechanism to avoid them. As I say, I monitor the page not found, and the inside error that pages throws. These 2 methods show me a lot of penetration attempts.

Uploading scripts.

If you have give access to uploading files, images and other stuff make sure that they can not be run on the uploading directory. This can be done ether by double checking the extension of the file and also by disabling the running of programs and script on that directory, from the server itself, but also by placing a web.config on the upload directory with :

<configuration>
    <system.web>
      <authorization>
        <deny users="*" />
      </authorization>
    </system.web>
</configuration>

Read one case: I've been hacked. Evil aspx file uploaded called AspxSpy. They're still trying. Help me trap them‼