科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>web config - How to mitigate an HTTP Parameter Pollution vulnerability in the ASP.NET Web Forms application for the IA404error.a

    web config - How to mitigate an HTTP Parameter Pollution vulnerability in the ASP.NET Web Forms application for the IA404error.a

    programmeradmin3浏览0评论

    We ran a security scan for our application which is ASP.NET Web Forms and received the following report

    Proof The parameter 'aspxerrorpath' has been injected a second time and the value 'was-tnb-wgbTfJMb' is present in the 'href' attribute of 'a' tag

    Output The scanner was able to detect a possible Client-Side HTTP Parameter Pollution

    That is how the IA404error.aspx is referenced in the Web.config

    <customErrors mode="RemoteOnly" defaultRedirect="generalerror.aspx">
  <error statusCode="404" redirect="IA404error.aspx" /> 
</customErrors>

    The codebehind for the IA404error page is the following

    public partial class IA404error : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
}

    How can we mitigate this vulnerability?

    We ran a security scan for our application which is ASP.NET Web Forms and received the following report

    Proof The parameter 'aspxerrorpath' has been injected a second time and the value 'was-tnb-wgbTfJMb' is present in the 'href' attribute of 'a' tag

    Output The scanner was able to detect a possible Client-Side HTTP Parameter Pollution

    That is how the IA404error.aspx is referenced in the Web.config

    <customErrors mode="RemoteOnly" defaultRedirect="generalerror.aspx">
  <error statusCode="404" redirect="IA404error.aspx" /> 
</customErrors>

    The codebehind for the IA404error page is the following

    public partial class IA404error : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {

    }
}

    How can we mitigate this vulnerability?

    • asp
    • web-config
    Share Improve this question edited Mar 24 at 20:20 halfer 20.4k19 gold badges109 silver badges202 bronze badges asked Mar 19 at 19:12 JamesJames 1,2615 gold badges21 silver badges44 bronze badges 2
    • Sounds like the answer might lie in IA404error.aspx – Dan Getz Commented Mar 19 at 19:18
    • Should I code the solution in the codebehind for the IA404error.aspx or in the global.asax? – James Commented Mar 19 at 19:25
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    Here is the solution that worked for us

            protected void Page_Load(object sender, EventArgs e)
        {
            if (Request != null && Request.QueryString != null && 
                drms_utilities.DoesQueryStringHaveSameParameters(Request.QueryString))
            {
                Response.Redirect("IA404error.aspx");
            }
        }


         ................

        public static bool 
          DoesQueryStringHaveSameParameters(NameValueCollection   parametersCollection )
        {
            foreach (string parameter in parametersCollection)
            {
                int times = parametersCollection.GetValues(parameter).Length;
                if (times > 1)
                {
                    return true;
                }
            }
            return false;
        }
    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论