# 白箱檢測 ###### tags: `資安` `程式設計` ## Have Unsafe Bindind Add 加上 [ValidateAntiForgeryToken] 即可 ## 使用Bind出現問題 添加 [PrincipalPermission(SecurityAction.Demand, Authenticated = true)] 來授權 ## Path Traversal 來源 = 來源.Replace("/", "").Replace("..", ""); EX: fileName = fileName.Replace("/", "").Replace("..", ""); ## Heap Inspection SecureString userPWDString = new NetworkCredential("", "1qaz@WSX").SecurePassword; string userPWD = new NetworkCredential("", userPWDString).Password; ## HTTP Response Splitting 過濾 \r , \n bon = bon.Replace("\r",""); bon = bon.Replace("\n", ""); ## Missing HSTS Header HTTP Strict-Transport-Security 回應標頭（簡稱為HSTS）告知瀏覽器應強制使用HTTPS以取代HTTP。 Response.AddHeader("Strict-Transport-Security", "max-age=7776000; includeSubdomains"); ## RequireSSL <system.web> <httpCookies requireSSL="true" ></httpCookies> </system.web> ## Information Exposure Through an Error Message 添加自訂[MyErrorHandler] 要看一下前端的javascript怎麼接收回傳資料的 ## DebugEnabled ``` <configuration> <system.web> <compilation debug="false" /> </system.web> </configuration> ``` ## SlidingExpiration ``` <authentication mode="Forms"> <forms loginUrl="member_login.aspx" name=".ASPXFORMSAUTH" cookieless="UseCookies" requireSSL="true" slidingExpiration="false" /> </authentication> ``` ## Missing Content Security Policy 可以看 [移除IIS和ASP.NET 版本資訊並加上完整的 security headers](/@2rG2cGnwQAC2aopRdTI_Hw/H1L1ZxHC7) 有更完整的資料 ``` <system.webServer> <httpProtocol> <customHeaders> <add name="Content-Security-Policy" value=" default-src 'none'; script-src 'self'; connect-src 'self'; img-src 'self'; style-src 'self';" /> </customHeaders> </httpProtocol> </system.webServer> ```