Saturday, January 12, 2008

Vulnerability Series: web[.]config

The web[.]config file is an XML-based file found in ASP.NET applications which may contain numerous items of sensitive information. The file will commonly contain items such as database information, sensitive file names and information about other resources on the application.

A sample file might appear as:

xxx xxx < name="appSettings" color="#ffffff">xxx xxx 
xxx xxx System, Version=1.0.3300.0,
xxx xxx Culture=neutral, PublicKeyToken=b77a5c561934e089" / >
xxx< / configSections >
xxx xxx < key="dsn" value="host;uid=UserName;pwd=;">
xxx xxx < key="msmqserver" value="server\myqueue">
xxx< / appSettings >
xxx< cookieless="true" timeout="10">
< / configuration >

How to apply this attack

The web[.]config file will be read from the file system. It is a very common mistake to leave backup or old copies of the web[.]config file on the web server. For example:

  • web.config.old
  • web.config.back
  • web.config.$date


Protect this file and the information in this file with your life. Period. Please make sure that all permissions are correctly set on the file system as well as, in IIS.

For additional information on how to configure the environment, I recommend you refer to theMicrosoft site for proper settings.