Geek Answers Handbook

ASP.NET MVC Application Checklist Protection

I am looking for a set of recommendations or a checklist that you can find to protect the public ASP.NET MVC website. I just want to make sure that I am not making any obvious and known problems when deploying the website.

Thanks.

+7
security asp.net-mvc
source share
4 answers
  • As always, make sure you encode the output correctly - note that here I say what to encode, not HtmlEncode. If you output the content in HTML, then you want to use Html.Encode - however, if you output JavaScript, then you want to use the JavaScript encoding function. - This will help you in the fight against Cross Site Scripting (XSS)
  • Use helpers that help CSRF attacks where necessary (or maybe just everywhere)
  • Depending on how you access the data warehouse, if it is an SQL database, be sure to protect yourself from SQL injections either through parameterized queries, stored procedures, LINQ, or whatever you have.
  • When you test - make sure that your test data contains a dodgy result (material in which it was not possible to call Html.Encode is easy to prove itself, possibly through <script type="text/javascript">alert("XSS attack!");</script>XSS here! the same goes for things that were introduced in JavaScript to make errors!)
  • When model binding uses a whitelist for properties, therefore, users cannot create binder binding properties that are not intended to be bound!
+5
source share

I do the following:

  • Take your worries. Admin in admin folder, etc.
  • [Authorize] all actions that require you to log in.
  • Html.Encode all data entry fields.
  • ActionResult Create ([Bind (Prefix = ", Exclude =" id ")] MyModel newModelObject) <== exclude id, which can be used in an attack

Besides...

+1
source share

The following are common ASP.NET measures

  • Set Debug = false in web.config
  • Enable custom error
  • Cookie encryption
  • Confirm All Inputs
  • Enable request validation
  • Encode output
+1
source share

Do not use default GET actions unless absolutely necessary. For example, if you have a DeleteUser action that does not have [AcceptVerbs(HttpVerbs.Post)] , it can be called via

 <img src="http://yoursite/admin/DeleteUser/1" />

which will be called by someone else β€œdisplays” the image.

+1
source share

More articles:


All Articles