Fxcop ASP.NET Security Rules - 为FxCop定制的ASP.NET安全规则包
来源:互联网 发布:kmp算法next原理 编辑:程序博客网 时间:2024/05/16 08:05
Fxcop ASP.NET Security Rules - 为FxCop定制的ASP.NET安全规则包
http://fxcopaspnetsecurity.codeplex.com/
Project Description
Fxcop ASP.NET security rules
This is a set of code analysis rules aiming at analyzing ASP.NET and ASP.NET MVC security against best practices. The rules can be used by Visual Studio 10 Ultimate or FxCop v10 standalone.
For Visual Studio it's normally C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\FxCop\Rules
EnableEventValidationShouldBeTrue
Verifies if the EnableEventValidation directive is disabled on a certain page
ValidateRequestShouldBeEnabled
Verifies if the ValidateRequest directive is disabled on a certain page.
ViewStateEncryptionModeShouldBeAlways
Verifies if the ViewStateEncryptionMode directive is not set to Never on a certain page.
EnableViewStateMacShouldBeTrue
Verifies if the EnableViewStateMac directive is not set to false on a certain page.
EnableViewStateShouldBeTrue
Verifies if the EnableViewState directive is not set to false on a certain page.
ViewStateUserKeyShouldBeUsed
Verifies if the Page.ViewStateUserKey is being used in the application to prevent CSRF.
DebugCompilationMustBeDisabled
Verifies that debug compilation is turned off. This eliminates potential performance and security issues related to debug code enabled and additional extensive error messages being returned.
CustomErrorPageShouldBeSpecified
Verifies that the CustomErrors section is configured to have a default URL for redirecting uses in case of error.
FormAuthenticationShouldNotContainFormAuthenticationCredentials
Verifies that no credentials are specified under the form authentication configuration.
EnableCrossAppRedirectsShouldBeTrue
Verifies that system.web.authentication.forms enableCrossAppRedirects is set to true. The settings indicate if the user should be redirected to another application url after the authentication process. If the setting is false, the authentication process will not allow redirection to another application or host. This helps prevent an attacker to force the user to be redirected to another site during the authentication process. This attack is commonly called Open redirect and is used mostly during phishing attacks.
FormAuthenticationProtectionShouldBeAll
Verifies that the protection attribute on the system.web.authentication.forms protection is set to All which specifies that the application use both data validation and encryption to help protect the authentication cookie.
FormAuthenticationRequireSSLShouldBeTrue
Verifies that the requireSSL attribute on the system.web.authentication.forms configuration element is set to True which forces the authentication cookie to specify the secure attribute. This directs the browser to only provide the cookie over SSL.
FormAuthenticationSlidingExpirationShouldBeFalse
Verifies that system.web.authentication.forms slidingExpiration is set to false when the site is being served over HTTP. This will force the authentication cookie to have a fixed timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and could potentially be intercepted, having a fixed timeout value on the cookie will limit the amount of time the cookie can be replayed. If the cookie is being sent only over HTTPS, it is less likely to be intercepted and having the slidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.
HttpCookiesHttpOnlyCookiesShouldBeTrue
Verifies that the system.web.httpCookies httpOnlyCookies configuration setting is set to True which forces all cookies to be sent with the HttpOnly attribute.
HttpCookiesRequireSSLShouldBeTrue
Verifies that the system.web.httpCookies requireSSL configuration is set to True which forces all cookies to be sent with the secure attribute. This indicates the browser to only provide the cookie over SSL.
TraceShouldBeDisabled
Verifies that the system.web.trace enabled setting is set to false which disables tracing. It is recommended to disable tracing on production servers to make sure that an attacker cannot gain information from the trace about your application. Trace information can help an attacker probe and compromise your application.
AnonymousAccessIsEnabled
Looks in the web.config file to see if the authorization section allows anonymous access.
RoleManagerCookieProtectionShouldBeAll
Verifies that the system.web.rolemanager cookieProtection is set to All which enforces the cookie to be both encrypted and validated by the server.
RoleManagerCookieRequireSSLShouldBeTrue
Verifies that the system.web.rolemanager cookieRequireSSL attribute is set to True which forces the role manager cookie to specify the secure attribute. This directs the browser to only provide the cookie over SSL.
RoleManagerCookieSlidingExpirationShouldBeTrue
Verifies that the system.web.rolemanager cookieSlidingExpiration is set to false when the site is being served over HTTP. This will force the authentication cookie to have a fixed timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and could potentially be intercepted, having a fixed timeout value on the cookie will limit the amount of time the cookie can be replayed. If the cookie is being sent only over HTTPS, it is less likely to be intercepted and having the slidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.
PagesEnableViewStateMacShouldBeTrue
Verifies that the viewstate mac is enabled.
PagesEnableEventValidationMustBeTrue
Verifies that event validation is enabled.
HttpRuntimeEnableHeaderCheckingShouldBeTrue
Verifies that the system.web.httpRuntime enableHeaderChecking attribute is set to true. The setting indicates whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. This forces ASP.NET to apply the ValidateRequest protection to headers sent by the client. If an attack is detected the application throws HttpRequestValidationException.
PagesValidateRequestShouldBeEnabled
Verify that validateRequest is enabled.
PagesViewStateEncryptionModeShouldBeAlways
Verifies that the viewstate encryption mode is not configured to never encrypt.
CustomErrorsModeShouldBeOn
Verifies that the system.web.customErrors mode is set to On or RemoteOnly. This disable detailed error message returned by ASP.NET to remote users.
MarkVerbHandlersWithValidateAntiforgeryToken
Verifies that ValidateAntiforgeryTokenAttribute is used to protect against potential CSRF attacks against ASP.NET MVC applications.
ControllerActionShouldValidateInput
Verifies that the ValidateInputAttribute is used properly to protect against XSS attacks.
Fxcop ASP.NET security rules
This is a set of code analysis rules aiming at analyzing ASP.NET and ASP.NET MVC security against best practices. The rules can be used by Visual Studio 10 Ultimate or FxCop v10 standalone.
Installation
Simply run the installer and specifiy the rules folder of your FxCop installation.For Visual Studio it's normally C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Static Analysis Tools\FxCop\Rules
Available Rules
EnableEventValidationShouldBeTrue
Verifies if the EnableEventValidation directive is disabled on a certain page
ValidateRequestShouldBeEnabled
Verifies if the ValidateRequest directive is disabled on a certain page.
ViewStateEncryptionModeShouldBeAlways
Verifies if the ViewStateEncryptionMode directive is not set to Never on a certain page.
EnableViewStateMacShouldBeTrue
Verifies if the EnableViewStateMac directive is not set to false on a certain page.
EnableViewStateShouldBeTrue
Verifies if the EnableViewState directive is not set to false on a certain page.
ViewStateUserKeyShouldBeUsed
Verifies if the Page.ViewStateUserKey is being used in the application to prevent CSRF.
DebugCompilationMustBeDisabled
Verifies that debug compilation is turned off. This eliminates potential performance and security issues related to debug code enabled and additional extensive error messages being returned.
CustomErrorPageShouldBeSpecified
Verifies that the CustomErrors section is configured to have a default URL for redirecting uses in case of error.
FormAuthenticationShouldNotContainFormAuthenticationCredentials
Verifies that no credentials are specified under the form authentication configuration.
EnableCrossAppRedirectsShouldBeTrue
Verifies that system.web.authentication.forms enableCrossAppRedirects is set to true. The settings indicate if the user should be redirected to another application url after the authentication process. If the setting is false, the authentication process will not allow redirection to another application or host. This helps prevent an attacker to force the user to be redirected to another site during the authentication process. This attack is commonly called Open redirect and is used mostly during phishing attacks.
FormAuthenticationProtectionShouldBeAll
Verifies that the protection attribute on the system.web.authentication.forms protection is set to All which specifies that the application use both data validation and encryption to help protect the authentication cookie.
FormAuthenticationRequireSSLShouldBeTrue
Verifies that the requireSSL attribute on the system.web.authentication.forms configuration element is set to True which forces the authentication cookie to specify the secure attribute. This directs the browser to only provide the cookie over SSL.
FormAuthenticationSlidingExpirationShouldBeFalse
Verifies that system.web.authentication.forms slidingExpiration is set to false when the site is being served over HTTP. This will force the authentication cookie to have a fixed timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and could potentially be intercepted, having a fixed timeout value on the cookie will limit the amount of time the cookie can be replayed. If the cookie is being sent only over HTTPS, it is less likely to be intercepted and having the slidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.
HttpCookiesHttpOnlyCookiesShouldBeTrue
Verifies that the system.web.httpCookies httpOnlyCookies configuration setting is set to True which forces all cookies to be sent with the HttpOnly attribute.
HttpCookiesRequireSSLShouldBeTrue
Verifies that the system.web.httpCookies requireSSL configuration is set to True which forces all cookies to be sent with the secure attribute. This indicates the browser to only provide the cookie over SSL.
TraceShouldBeDisabled
Verifies that the system.web.trace enabled setting is set to false which disables tracing. It is recommended to disable tracing on production servers to make sure that an attacker cannot gain information from the trace about your application. Trace information can help an attacker probe and compromise your application.
AnonymousAccessIsEnabled
Looks in the web.config file to see if the authorization section allows anonymous access.
RoleManagerCookieProtectionShouldBeAll
Verifies that the system.web.rolemanager cookieProtection is set to All which enforces the cookie to be both encrypted and validated by the server.
RoleManagerCookieRequireSSLShouldBeTrue
Verifies that the system.web.rolemanager cookieRequireSSL attribute is set to True which forces the role manager cookie to specify the secure attribute. This directs the browser to only provide the cookie over SSL.
RoleManagerCookieSlidingExpirationShouldBeTrue
Verifies that the system.web.rolemanager cookieSlidingExpiration is set to false when the site is being served over HTTP. This will force the authentication cookie to have a fixed timeout value instead of being refreshed by each request. Since the cookie will traverse over clear text network and could potentially be intercepted, having a fixed timeout value on the cookie will limit the amount of time the cookie can be replayed. If the cookie is being sent only over HTTPS, it is less likely to be intercepted and having the slidingExpiration setting to True will cause the timeout to be refreshed after each request which gives a better user experience.
PagesEnableViewStateMacShouldBeTrue
Verifies that the viewstate mac is enabled.
PagesEnableEventValidationMustBeTrue
Verifies that event validation is enabled.
HttpRuntimeEnableHeaderCheckingShouldBeTrue
Verifies that the system.web.httpRuntime enableHeaderChecking attribute is set to true. The setting indicates whether ASP.NET should check the request header for potential injection attacks. If an attack is detected, ASP.NET responds with an error. This forces ASP.NET to apply the ValidateRequest protection to headers sent by the client. If an attack is detected the application throws HttpRequestValidationException.
PagesValidateRequestShouldBeEnabled
Verify that validateRequest is enabled.
PagesViewStateEncryptionModeShouldBeAlways
Verifies that the viewstate encryption mode is not configured to never encrypt.
CustomErrorsModeShouldBeOn
Verifies that the system.web.customErrors mode is set to On or RemoteOnly. This disable detailed error message returned by ASP.NET to remote users.
MarkVerbHandlersWithValidateAntiforgeryToken
Verifies that ValidateAntiforgeryTokenAttribute is used to protect against potential CSRF attacks against ASP.NET MVC applications.
ControllerActionShouldValidateInput
Verifies that the ValidateInputAttribute is used properly to protect against XSS attacks.
Last edited Nov 18, 2010 at 1:56 PM by sfaust, version 4
- Fxcop ASP.NET Security Rules - 为FxCop定制的ASP.NET安全规则包
- FxCop in CruiseControl.NET
- FxCop整理的.NET代码编写规范
- Microsoft FxCop 的设计规则
- Microsoft FxCop 的设计规则 .
- CruiseControl.Net 与 FxCop 集成
- FxCop
- FxCop
- FxCop
- ILOG Rules for .NET -为Microsoft.NET量身定制的业务规则管理技术
- 十个必备的.NET开发小工具(5):FxCop
- 十个必备的.NET开发小工具(5):FxCop
- 十个必备的.NET开发小工具(5):FxCop
- 根据FxCop整理的.NET代码编写规范
- 使用FxCop工具分析.NET托管代码
- 通过FxCop来验证.NET编码规范
- [BuildRelease].NET代码静态检测FxCop
- 通过FxCop来验证.NET编码规范
- git错误:error: failed to push some refs to
- sql之left join、right join、inner join的区别
- freemarker+struts2+spring
- C# eval()函数浅谈
- 隐藏MOSS2010 左边的导航
- Fxcop ASP.NET Security Rules - 为FxCop定制的ASP.NET安全规则包
- Oracle数据库中的字符处理技巧总结
- Java垃圾收集器使用小诀窍
- C#中将值类型变量赋值给对象与将对象赋值给值类型变量(装箱与拆箱)
- %type 和%rowtype 的区别!
- 又见bug,动态调整SGA参数导致数据库crash
- 在sql的条件里进行日期添加或减去一个值(年月日的一个值)
- Sharepoint 2010 学习资源总结
- KMP算法