Code vulnerability scanning description cross site history manipulation solution [dongcoder. Com]

Explain the function of static keyword and final keyword in Java in detail>>>

Code vulnerability scanning

Vulnerability Description: cross site history manipulation

Brief description: product behavior differences or sending different responses, to some extent, expose the product status related to security, such as whether a specific operation
is successful or not
possible vulnerability elimination methods:

Distinguish the “safe” areas of your system, which can clearly draw trust boundaries. Sensitive data is not allowed to go outside the trust boundary
, so it is necessary to be careful when interacting with the space outside the security zone
set the general response for the error condition. This error page should not reveal information about successful or failed sensitive operations. For example,
the login page should not confirm that the login is correct and the password is wrong. The attacker wants to guess some of the correct
account names by trying to enter random account names. Confirming the presence of an account will make the login page more vulnerable to brute force attacks

Solution:

After the verification is successful, there is a page Jump. At this time, add a random number to the page, as follows:

Response.Redirect("dongcoder.aspx?rand=" + Common.getRandValue());

:

, like RandValue,

public static string getRandValue()
    {
        string randValue = "";
        using (RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider())
        {
            byte[] data = new byte[4];
            rng.GetBytes(data);
            Int32 value = BitConverter.ToInt32(data, 0);
            if (value < 0) value = -value;
            randValue = value.ToString();
        }
        return randValue;
    }

  

Need to add reference

using System.Security.Cryptography;

  

Another method of generating random numbers is used here. If the common random method is used, the vulnerability will continue to be exposed

Excerpt: Code vulnerability scanning description cross site history manipulation solution

Similar Posts: