Identifying configuration-related security vulnerabilities in web applications
ASP.NET enables you to specify configuration settings that affect all Web applications on a server, that affect only a single application, that affect individual pages, or that affect individual folders in a Web application. You can make configuration settings for features, such as compiler options, debugging, user authentication, error-message display, connection strings, and more. Configuration data is stored in XML files that are named Web.config.
You can read more details about different kind of configuration settings in the Web.config files at https://msdn.microsoft.com/en-us/library/ff400235.aspx. In this section, we will walk you through the rules in PUMA scan analyzers to catch security vulnerabilities in web configuration in an ASP.NET Web Forms project.
Note
Note that Roslyn analyzers are fully supported on both .NET framework projects and .NET core projects, so the PUMA scan analyzers covered here work...
