Vulnerabilities for web-attacks

Email It to Me Print this Page
Some scanners can find vulnerabilities in Password manager web-app. Since it is based on IIS, some of these vulnerabilities can be closed by means of additional IIS configuration

V1. The response for request did not have an “X-FRAME-OPTIONS” header present 

Solution1:
  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle.
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
  6. Click OK to save your changes.
Refer to http://support.microsoft.com/kb/2694329 
--------

V2. Vulnerable to slow HTTP POST Attacks 

Solution2
1. Run the IIS Manager on the machine where Netwrix Password Manager is installed 
2. On the left pane navigate to Sites / Default Web Site / PM 
3. On the middle pane double-click on Request Filtering 
4. On the right pane click on Edit Feature Settings… 
5. Set the Maximum allowed content length to 15000000 bytes, set the Maximum URL length to 1024 bytes and set the Maximum query string to 512 bytes, then click ok 
6. On the left pane click on Sites, then on the middle pane one-click on Default web-site and on the right pane click Set Web Site Defaults… 
7. Expand Connection Limits node 
8. Set the Connection Time-out to 60 second or lower, set the Maximum Bandwidth to 1400000000 bytes, then click OK 
9. Restart the IIS server via Command prompt (Start – Run – cmd, type iisreset and click enter) 
------

V3. Cookie does not contain the “HTTPOnly” attribute 

Solution3: it is possible to apply a cookie filter with help of URL rewrite for IIS7 http://www.iis.net/downloads/microsoft/url-rewrite
Install URL rewrite and paste the following into the <system.webServer> section of your web.config.
 
        <rewrite>
            <outboundRules>
                <rule name="Add HttpOnly" preCondition="No HttpOnly">
                    <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
                    <action type="Rewrite" value="{R:0}; HttpOnly" />
                    <conditions>
                    </conditions>
                </rule>
                <preConditions>
                    <preCondition name="No HttpOnly">
                        <add input="{RESPONSE_Set_Cookie}" pattern="." />
                        <add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
                    </preCondition>
                </preConditions>
            </outboundRules>
        </rewrite>

Described here: http://forums.iis.net/post/1963706.aspx 
-----------------

If you have more 
vulnerabilities to report, please contact Netwrix technical support
Was this information helpful?