Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

We have built a web application using ASP.Net MVC3 and SQL Server 2008 which has

ID: 657748 • Letter: W

Question

We have built a web application using ASP.Net MVC3 and SQL Server 2008 which has features like credit card payment, etc. We engaged a 3rd party to perform vulnerability assessment and penetration testing.

We got a good report with few security issues. We have fixed all the issues except one.

In that report it says that our application reveals web directories such as 'Admin/Contact/Details' '/Areas/Admin/Styles/'. It is not major issue. But our management want to fix that too ...

Any ideas to solve it correctly and quickly. Appreciate if someone can shed some light on this.

Explanation / Answer

It's a typical scenario with .NET MVC - search-engine friendly URLs are a direct result of proper implementation. But let's have something clear - these are not web directories, but MVC routes, right?

Paranoid pen-testers are often uncomfortable when the admin interface is somehow exposed in the URL, since it can attract unwanted attention, or be harvested and used for fuzzing.

If you want to improve on this, you may need to abuse the ASP.NET routing engine to obfuscate the path, if their concern is that the admin interface is "exposed" - that would be a quick fix, but obfuscation is never the correct way of fixing things.

An alternative is to use a resource manager and routing is based on resource tokens, but that would involve heavy modifications to the application. Each resource has its own resource token ID, and can be dynamically generated when a user logs in. Then every resource (page, style, image) is a link to the resource manager. Then getting a stylesheet will look like:

<link rel="stylesheet" type="text/css" href="/Resource/80af9420ab0401-00291844a/91009abff01">

The same applies to the URLs. This may result in a lot of overhead and poor performance, poor scalability, etc. I do not recommend it, but these days management just listens to whatever external "consultants" they're paying to, and refuses to acknowledge internal talent.

Unfortunately, sometimes it's a question of compromise - security should not be a result of poor scalability or performance...

Related Questions

We have a weighted directed graph with the following n = 3k vertices: V = {a1, .
Question #3594853
We have accesss to data regarding the salaries of all professsional baseball pla
Question #3131855
We have all been involved in conversations on the web centering on a particular
Question #391630
We have all complained that there aren\'t enough hours in a day. In an attempt t
Question #1472879
We have all complained that there aren\'t enough hours in a day. In an attempt t
Question #1992718
We have all heard of the individual being paid one cent on the first day and sub
Question #3622336
We have all heard the argument that too much television is th reason our student
Question #3450361
We have all worked in a group or team at some point in our careers. A team is br
Question #435038
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
We have being losing an average of $11,500 per month at our primary care clinic.
Next
We have chosen the convention that the zero of energy corresponds to isolated at

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.