WCSA – Web.Config Security Analyzer

Posted by on March 31, 2012

In an ASP.Net application, the web.config file contains a lot of security settings that shouldn’t be overlooked.  There has been no real easy way to review the file without manually looking at each setting or running an expensive tool.  To fill this gap, WCSA was born.  This initial release is relatively simple and by no means covers all of the security settings for a web.config file.  It does, however, cover some of the more prominent issues.  BTW, the tool is free!!.  Let me make it perfectly clear that this is the initial release of this tool and there is no claim that it will find all security issues for the web.config file or a given application.  This tool helps identify potential issues but manual reviews should also be performed.

No Frills

The initial release of this application is very simple.  There are no fancy UI components and the rule set is pretty limited.  The goal is to make updates to this to add more rule sets and functionality.  For now, it is a 5 minute process for developers to get a quick look at some of the settings without having to scan the web.config file looking for them.

The Application

As you can see in Image 1 below, the application is pretty simple.  This image shows the results of scanning a web.config file and the findings from the tool.  There are currently 3 finding types (Information,Warning,Critical) based on their potential severity.  Some poor color coding was added to help identify the risks by severity.  Each finding has a Message that gives a brief description of the issue and the possible category of vulnerability that this could fall under.  If you select a specific finding, some more information is displayed in the Recommendations section at the bottom of the screen.

Image 1

Lets walk through the simple steps of analyzing a web.config file.  In the first step, we need to select Analyze—>Web.Config from the main menu.

Next, we select the Web.config file that we want to analyze.

The result is what we saw in Image 1 above.  The file has been analyzed.   If you want, you can export the results to an XML file by clicking the File->Export->To XML menu item.

Current Rules

The application currently checks the following elements:

  • Compilation
  • Custom Errors
  • Forms Authentication
  • Identity
  • Pages
  • Runtime
  • Session
  • Trace

I am currently working on more specific documentation on each rule covered and adding more elements to be scanned.

WCSA can be downloaded from here: http://www.jardinesoftware.com/Software/WCSA_1_0_0.zip.  To run the application, just unzip the file and execute the WCSAWin.exe file.

To visit the WCSA information page, go to: http://www.jardinesoftware.com/WCSA.

This information is provided as-is and is for educational purposes only.  There is no claim to the accuracy of this data.  Use this information at your own risk.  Jardine Software is not responsible for how this data is used by other parties. 


Comments are closed.