Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
45 views13 pages

System Config-Webserver Configuration

Uploaded by

Arian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
45 views13 pages

System Config-Webserver Configuration

Uploaded by

Arian
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 13

EZLABORMANAGER APPLICATION

SECURITY
MARCH 2011

Vulnerability Remediation Technical Review

MAS R&D

©Copyright 2010 Automatic Data Processing, Inc.


Title

SYSTEM CONFIG -WEBSERVER


CONFIGURATION

vulnerability remediation Technical review


Agenda

Vulnerability overview
Conceptual
Observation

Remediation overview
Solution step 1,2

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 3
Vulnerability Conceptual overview

VRN93292 – DEBUG mode is enabled on the server. and


application may reveal some useful information to the
user.

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 4
Vulnerability Conceptual overview

Risk Factors

It may be possible to disclose sensitive information about the


web sever the ASP.NET application.

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 5
Vulnerability overview

This presentation ?

Disable Debugging for this ASP.NET Applications

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 6
Vulnerability Observation

This is the request that we create with Burp/Fiddler software to test server
response:

Request:

DEBUG /ezLaborManagerNet/Login/Login.aspx HTTP/1.1


Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: ezlmportalstaging.adp.com
Referrer: https://ezlmportalstaging.adp.com/ezLaborManagerNetRedirect/
Command: stop-debug
Content-Length: 0

Response:

HTTP/1.1 200 OK
Date: Mon, 20 Sep 2010 11:57:15 GMT
Etag: ""
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
Via: 1.1 Routing Firewall
Connection: close
OK

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 7
Remediation – Solution Concept

Requirements

Installing required applications for Test(Wfetch, Burp, Fiddler)

Configure Application Web.Config.

Accessing IIS

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 8
Solution – Step 1
Step2: Removing Debug verb supported in IIS

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 9
Solution – Step 2
Step2: Removing Debug verb supported in IIS

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 10
Solution – Step 2
Step2: Removing Debug verb supported in IIS

Remove Debug Verb

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 11
Solution – Step 3
Step 3: Configuring Web.Config

Change it to “false”

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 12
Remediation Completed

Questions?

05/03/2021 (C) Copyright 2009 ADP, Inc. Confidential, not for external distribution. 13

You might also like