Automated Security Analyser for ASP.NET Websites

Version history

15 Sep 2013

Added a new scan to check for the presence of a MAC in view state. This is sometimes disabled which puts the application at risk of view state tampering by an attacker.

3 Sep 2013

Added a check for ELMAH in the /elmah path of the site when the default handler of /elmah.axd is not found and it's not a web forms site. This caters for the increasing number of ASP.NET MVC sites using Elmah.MVC which registers a route in the root of the site rather than using the handler extension.

15 May 2013

Introduced the Scorecard feature to enable self-assessment of website risks in a fashion which can be responsible disclosed to the website owner.

12 May 2013

Added a scan to detect the presence of the "X-Frame-Options" header which indicates whether the site is at risk of a clickjacking attack.

24 Mar 2013

Added scans for cookies flagged as HttpOnly and cookies returned over an HTTPS connection but not flagged as secure.

29 Aug 2012

Rebuilt the hash DoS scan logic to cater for the fact that the risk has now been mitigated in .NET 4.5.

7 Sep 2012

Removed request validation on the password field to ensure any characters can be used. Thanks to Terry Brown for his contribution.

29 Aug 2012

Rebuilt the hash DoS scan logic to cater for the fact that the risk has now been mitigated in .NET 4.5.

7 Aug 2012

Extended the timeout of the first HTTP request to the site from 10 seconds to 30 seconds. This allows an extended period for a site that is "asleep" to wake up. Subsequent request timeouts all remain unchanged at 10 seconds.

Added information to the hash DoS scan to indicate that a failure could be caused by the aspnet:MaxHttpCollectionKeys app setting being increased beyond the default of 1,000.

3 Aug 2012

Public release of the ASafaWeb scheduler and account management features.

7 Jul 2012

The excessive headers scan now returns a warning rather than a pass if headers are not reported in the first request but are reported in any subsequent requests.

5 Jun 2012

Error pages returned in languages which include non-Latin characters now correctly identify both stack traces and the ASP.NET version number in the error page.

7 Apr 2012

Custom errors and stack trace findings are now presented as two separate scans rather than embedded the stack trace finding down in the custom errors report.

29 Mar 2012

All website assets on ASafaWeb can now only be loaded over the HTTPS scheme. No pages or other content are returned over HTTP anymore.

24 Mar 2012

Scans that read server error messages have been internationalised to ensure that responses in languages other than English are still recognised. Full details are on the scans page.

28 Feb 2012

A scan for excessive response headers has been added. This scan identifies occurrences of headers which may be used to help exploit vulnerabilities by leveraging knowledge about risks in specific web servers and frameworks.

2 Feb 2012

To avoid using ASafaWeb for abusive purposes, it is now possible for a URL to be blacklisted. This is only done at the request of the site owner and means the domain and all of its subdomains can no longer be scanned.

14 Jan 2012

Scans for websites which are probably not built in ASP.NET now show a warning dialogue which needs to be dismissed before reviewing the scan results. This is to ensure that the guidance given by ASafaWeb isn't perceived to be inaccurate or misleading due to tests targeted at Microsoft web technologies returning unexpected results for other technology stacks.

11 Jan 2012

The ELMAH scan has been extended so that if the original request for elmah.axd redirects to a logon page, a second request is made for "/foo/elmah.axd". This is because the handler can be requested from any directory but is frequently only secured in the root.

9 Jan 2012

A new scan to test for publicly accessible ELMAH logs was added. This looks for the presence of a response with a title containing the words "Error log for" at the "/elmah.axd" path of the site being scanned.

30 Dec 2011

A scan to test for the presence of the hash DoS patch has been added. This scan posts 1,001 form variables to the site and inspects the response. An identical response to a legitimate request shows that the patch is not present. This scan may also be used for the custom errors scan if a YSOD is returned.

29 Dec 2011

The scan to test for request validation (if the site is a web forms app), is now done before the custom errors scan. When request validation is on but custom errors are off, this request can be reused for the custom errors scan rather than making an additional HTTP request.

28 Dec 2011

Each of the HTTP requests made during the scan are now listed at the top of the report in the order in which they were issued. This helps illustrate the activity ASafaWeb has performed against the site.

The custom errors scan now makes a request for a URL with the "<" symbol even if it's a web forms site but only after posting invalid View State hasn't been able to return a YSOD. Previously this request was only made for non-web forms sites.

16 Dec 2011

Allowed responses which don't conform to the HTTP header spec to still be parsed. Some web servers break the spec by using spaces in header names, not using CRLF at ends of lines, using a status description as well as a code and other spec violations described in the MSDN page about the UseUnsafeHeaderParsing property. These responses are now still parsed rather than causing the scan to exit.

7 Dec 2011

Added fidelity to failed scans to identify invalid certificates and report them to the user. They are then given the option of scanning the equivalent HTTP address. In the future, ASafaWeb will have a specific test to check certificate validity and report it as a finding if it doesn't check out.

Scans that receive an empty response from the host or time out now include a link to check whether the site is publically accessible using This will help distinguish between an error on the ASafaWeb side versus the address simply not being contactable.

6 Dec 2011 (release 2)

Added fidelity to failed scans to distinguish between the following errors and report them to the user:

6 Dec 2011

Initial release detailed in the blog post Welcome to ASafaWeb.