是EnableHeaderChecking =真足以prevent HTTP头注入攻击?
是不是足够了 System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking 设置为真正(默认)充分prevent HTTP头注入攻击就像响应拆分等等?
Is it sufficient to have System.Web.Configuration.HttpRuntimeSection.EnableHeaderChecking set to true (default) to fully prevent Http Header Injection attacks like Response Splitting etc.?
我这么问是因为白盒渗透测试工具(设防)报告利用的HTTP头注入问题与的Htt presponse.Redirect 和饼干,但我的天堂 t上找不到一种方法来成功执行攻击。 (修改:..我们有EnableHeaderChecking开启..)
I'm asking because a white box penetration testing tool (fortify) reports exploitable http header injection issues with HttpResponse.Redirect and cookies but I haven't found a way to successfully perform an attack. (edit:..and we have EnableHeaderChecking turned on..)
我一直在寻找这一段时间了,并得出设置结论 EnableHeaderChecking 以真正其实是在$足够出良好的p $ pvent HTTP头注入攻击。
I've been looking at this for some time now and draw the conclusion that setting EnableHeaderChecking to true is in fact good enough to prevent http header injection attacks.
看着'反映'ASP.NET code,我发现:
Looking at 'reflected' ASP.NET code, I found that:
- 只有一个自定义HTTP标头添加到HTTP响应,即使用的 Htt的presponse.AppendHeader 方法
- 的Htt presponse。 AppendHeader 的任
- 创建
的Htt presponseHeader的(内部) 实例 - 或呼叫
的Htt presponseHeader.MaybeEn codeHeader(为IIS7WorkerRequests) - 或分配其各自的属性(称为头象的 RedirectLocation 或的 ContentType的)
- 创建
- There is only one way to add custom HTTP headers to an HTTP response, namely using the HttpResponse.AppendHeader method
- HttpResponse.AppendHeader either
- creates instances of
HttpResponseHeader(internal) - or calls
HttpResponseHeader.MaybeEncodeHeader(forIIS7WorkerRequests) - or assigns its respective properties (for known headers like RedirectLocation or ContentType)
- creates instances of
下面是一个片段粗略地将演示如何进行测试:
Here is a snippet to roughly demonstrate how I tested:
// simple http response splitting attack
Response.AddHeader("foo", "bar\n" +
// injected http response, bad if user provided
"HTTP/1.1 200 OK\n" +
"Content-Length: 19\n" +
"Content-Type: text/html\n\n" +
"<html>danger</html>"
);
如果您明确把以上只适用 EnableHeaderChecking 关:
The above only works if you explicitly turn EnableHeaderChecking off:
<httpRuntime enableHeaderChecking="false"/>Fortify的根本不考虑配置考虑(制定 EnableHeaderChecking 明确没有效果),因此总是的报告这些类型的问题。
Fortify simply doesn't take configuration into account (setting EnableHeaderChecking explicitly had no effect) and thus always reports these type of issues.