Steps to resolve VAPT Issues

  
1. Error: Web Parameter Tampering
Resolution:  
Add attribute "enableViewStateMac="false"" inside <pages> tag.
Eg:
<system.web>
    <pages enableViewStateMac="false"/>
</system.web>
 
 
2.  Error: Authentication Bypass Using default credentials
Resolution:
Add "<httpCookies requireSSL="true" />" inside <system.web> tag
Eg:
  <system.web>
     <httpCookies requireSSL="true" />
  </system.web>
 
 
3.  Error: Communication in cleartext
Resolution:  
Implement authorization and authentication in application
Eg:
  <authorization>
      <deny verbs="OPTIONS" users="?"/>
</authorization>
 
  <authentication mode="Forms">
      <forms loginUrl="Login2.aspx" defaultUrl="RedirectionPage.aspx">
      </forms>
</authentication>
 
 
4.  Error: Session Fixation
Resolution:
Add below source code on logout click
     Session.Clear();
     Session.Abandon();
     Session.RemoveAll();
 
     if (Request.Cookies["ASP.NET_SessionId"] != null)
     {
      Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
         Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
     }
 
     if (Request.Cookies["AuthToken"] != null)
     {
      Response.Cookies["AuthToken"].Value = string.Empty;
         Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
     }
 
 
5.  Error: Cleartext submission of Password
  Resolution: Implement password encryption while sending to database
Eg of function:
public static string Encrypt(string clearText)
    {
        string EncryptionKey = "TEST123";
        byte[] clearBytes = Encoding.Unicode.GetBytes(clearText);
        using (Aes encryptor = Aes.Create())
        {
            Rfc2898DeriveBytes pdb = new Rfc2898DeriveBytes(EncryptionKey, new byte[] { 0x49, 0x76, 0x61, 0x6e, 0x20, 0x4d, 0x65, 0x64, 0x76, 0x65, 0x64, 0x65, 0x76 });
            encryptor.Key = pdb.GetBytes(32);
            encryptor.IV = pdb.GetBytes(16);
            using (MemoryStream ms = new MemoryStream())
            {
                using (CryptoStream cs = new CryptoStream(ms, encryptor.CreateEncryptor(), CryptoStreamMode.Write))
                {
                    cs.Write(clearBytes, 0, clearBytes.Length);
                    cs.Close();
                }
                clearText = Convert.ToBase64String(ms.ToArray());
            }
        }
        return clearText;
}
 
 
6.  Error: Unencrypted __VIEWSTATE parameter
Resolution: Add attribute “viewStateEncryptionMode="Always"" inside <pages> tag.
Eg:
<system.web>
    <pages viewStateEncryptionMode="Always"/>
</system.web>
 
 
7.  Error: Server version disclosure
Resolution: Add “<httpRuntime enableVersionHeader="false" /> “ inside <system.web> tag.
Eg:
<system.web>
    <httpRuntime enableVersionHeader="false" />
</system.web>
 
 
8.  Error: Cookie Without HTTP Only Flag Set
Resolution:
Add "<httpCookies requireSSL="true" />" inside <system.web> tag
Eg:
  <system.web>
     <httpCookies requireSSL="true" />
  </system.web>
 
 
9.  Error: ASP.NET padding oracle vulnerability
Resolution:
Add attribute "redirectMode="ResponseRewrite"" inside <customErrors> tag
Eg:
<customErrors redirectMode="ResponseRewrite"  
defaultRedirect="customerror.htm" mode="On" />
 
 
10.  Error: Clickjacking
 Resolution:
 Add below code in Global.asax file
     void Application_BeginRequest(object sender, EventArgs e)
      {
         HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
 }
 
 
11.  Error: options method is enabled
 Resolution:
 Add below tag in "<system.webServer>" tag
    <security>
      <requestFiltering>
         <verbs allowUnlisted="true">
           <add verb="OPTIONS" allowed="false" />
         </verbs>
     </requestFiltering>
 </security>