The forgotten ASP.NET Security switches and settings

Retail switch

One of the security flaws I encounter in a lot of application/web server in production is the ASP.NET error message with all the detailed information in there:

Which tells a potential hacker you are running ASP.NET, the version of ASP.NET is also published and even the path on the filesystem is in there. Also it tells the user too much information, and in 1 case the test team was expecting this and used these screens to validate an application.

We can avoid this with a single line in our machine.config file in the system.web block:

 <deployment retail="true" /> 

This SHOULD be the default in every production server you encounter!
It effectively disables remote detailed error messages, forces the compiler to ignore the “debug” compilation settings, and enables caching for all WebResources.axd calls.

The root cause for this problem is that a “development” web.config file(with remote errors enables) is copied into the production environment. The retail switch protects us against this, but be sure to check your config files for other errors as well.

ViewStateUserKey

To protect POST request to our ASP.NET applications we can use the ViewStateUserKey (dont turn off ViewState MAC) to enable the viewstate to contain a unique value per user. This will help mitigate against a CSRF (Cross-Site Request Forgery) attack. This won’t help against GET request, because there is no viewstate in there, so keep protecting these.

The code is very simple:

 void Page_Init(object sender, EventArgs e)
{
    ViewStateUserKey = Session.SessionID;
}