Hello, My MVC site often sends me YSOD messages (through the error logger) that apparently reference an attempt to access a nonexistent route, such as: System.Web.HttpException: The controller for path '/wp-login.php' was not found or does not implement IController. Sometimes I get hundreds of these daily referencing routes/pages such as: /DataBackup/222.asp /Create_New.asp /DataBackup/111.asp /DataBackup/1.asp htmledit saveupload.asp post_upload.asp /js/mage/cookies.js /wp-admin/admin-post.php /browserconfig.xml Does anyone know why this happens? Thanks! Randy
It's an unfortunate side effect of script kiddy automated hacker scripts crawling the internet looking for vulnerabilities in any website urls that the script / hacker is aware of. e.g. if the script was to detect a HTTP 200 response from a request to wp-login.php, it then conclusively knows that the website being probed is at least running both word press and PHP. Armed with that knowledge the script can then move onto to the next stage of probing for vulnerabilities against that website for known issues in word press and PHP. It's a never ending battle and there's little you can do except work to ensure your site code is as secure as it can be. If you're able to improve the exception handling in your website, you might be able to capture the IP address of the caller in the request to enable you to add that IP address to the block list in "IP Address and Domain Restrictions" in IIS manager. However doing that is sort of futile because hacker IP addresses constantly change because their requests often source from botnets.
Thanks Joe! I wonder if anyone has a security checklist for MVC sites to share? I feel like I have things fairly well covered bit as you say it's a never ending battle. Randy
This might help: https://www.owasp.org/index.php/.NET_Security_Cheat_Sheet IMO there's a fair amount of decent security related information on the OWASP site and a lot isn't .NET / MVC specific but I find sometimes it helps to think about things from different angles. MS provide some info too and the Pluralsight videos really are very good: http://www.asp.net/mvc/overview/security
Troy Hunt does (PluralSite course, requires trial signup or paid membership): http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks You can check most of what he discusses in the course using the site he created (free): https://asafaweb.com/ I'd highly recommend installing his NWebSec package (free, Github link: https://github.com/NWebsec/NWebsec) - it pretty much takes care of most of what you need to lock down an ASP.NET site, with the rest being configurable. It's in my list of packages I install in every MVC app I build.