Geek Answers Handbook

Are you worried about XSS, CSRF, SQL injection, cookie theft sufficient to protect web security?

Web applications on uncompromising computers are vulnerable to XSS, CRSF, SQL injection and cookie theft in unsafe Wi-Fi environments.

The following remedies exist to prevent these security issues.

  • sql injection: a good datamapper (e.g. linq-to-sql) is not at risk of sql injection (am i naΓ―eve to believe this?)
  • CSRF: Each form entry is verified using <%: Html.AntiForgeryToken ()%> (this is a token in the asp.net mvc environment, which is stored in a cookie and verified on the server)
  • XSS: each form allowed for html publishing is converted, only bb code is allowed, and the rest is encoded. All possible save actions are performed using the post event, so the rogue img tags should not have an effect
  • cookie hijacking: https

Now I am invulnerable to attempts to hack websites (when they are implemented correctly)? Or am I missing some other security issues in web development? (Except for possible holes in the OS platform or other software)

+7
source share
5 answers

Easy answer: "No, you are not invulnerable, no one!"

This is a good start, but there are a few more things you could do. The main thing that you did not mention is the verification of untrusted data against the whitelist, and this is important because it covers several exploits, such as SQLi and XSS. Take a look at OWASP Top 10 for .NET Developers Part 1: Injection and, in particular, the section "All input should be validated against a whitelist of valid value ranges."

Next, you must apply the principle of least privilege to accounts connecting to your SQL Server. See the header under this name in the previous link.

Given that you are working with ASP.NET, make sure that query validation remains enabled, and if you absolutely must disable it, just do it at the page level. More on this in Verification Request, DotNetNuke, and Utopia Design .

The main thing for your output encoding is to make sure that you encode the correct context. HTML Encoding! = JavaScript Encoding! = CSS Encoding. More on this in OWASP Top 10 for .NET Developers Part 2: Scripts for Different Sites (XSS) .

For cookies, only make them HTTP and, if possible, allow them to be served securely (if you are only happy with the launch of HTTPS). Try putting your web.config through the web.config security analyzer , which will help you in the right direction.

Another CSRF defense - albeit with a usability effect - is CAPTCHA. Obviously, you want to use it with restraint, but if you have really important functions that you want to protect, it sets up pretty quickly. Learn more in OWASP Top 10 for .NET Developers Part 5: Cross-Site Request Forgery (CSRF) .

In addition, it seems that you know many important principles. It will not make you invulnerable, but it is a good start.

+4
source

This is the ultimate guide to web attacks. In addition, I would recommend that you use Metasploit for your web application.

0
source

Am I invulnerable to hacking attempts on the Internet?

Because no matter how good you are, everyone makes mistakes , the answer is no. You almost certainly forgot to sanitize some input or use an anti-fake token. If you have not already done so, you or another developer as your application grows.

This is one of the reasons for using frameworks. For example, MVC will automatically generate anti-CSRF tokens, while LINQ-to-SQL (as you mentioned) will sanitize the database input. So, if you are not already using a framework that does anti-XSS and anti-CSRF by default, you should start now.

Of course, they will protect you from these specific threats , but they can never be protected from all threats. For example, if you have an insecure password to connect to an SQL connection, it is possible that someone will redirect your database password and gain access. If you do not save your versions of .Net / SQL-Server / everything up to date, you can become a victim of an online worm (and even if you do, it is still possible to be zero).

There are even problems that you cannot solve in software: script kiddie can use a DDOS site. Your server company may go bankrupt. A shadow competitor could simply take a clipper haircut on your internet line. Your warehouse may burn out. A developer could sell the source code of a company in Russia.

The fact is that you can never be safe from everything - you can be safe only from specific threats.

0
source

This is definitely not enough! There are several other security issues that you should keep in mind when developing a web application. To get an overview, you can use OWASP Top-Ten

I think this is a very interesting article to read when you think about web security: What does a developer need to know before creating a public website? There is a security section that provides good links for most of the threats you encounter when developing web applications.

The most important thing to remember when thinking about security: Do not trust user input!

[I answer this β€œold” question because I think this is always a hot topic.]

0
source

That you did not mention:

You missed a dangerous attack as part of MVC: Over Posting Attack

You also missed the most annoying threats: Denial of Service

You should also pay enough attention to file uploads (if any ...) and much more ...

About what you mentioned:

XSS really really really a wasteful and more annoying softener. There are several types of encoding, including Html Encoding , Javascript Encoding , CSS Encoding , Html Attribute Encoding , Url Encoding , ...

Each of them must be done before the proper content in the right place - i.e. just do HTML. Content encoding is not enough in all situations.

And the most annoying thing in XSS is that there are some situations that you must perform Combinational Encoding (i.e. first JavascriptEncode and then HtmlEncode ... !!!)

Take a look at the following link to learn more about the nightmare called XSS ... !!!

XSS Filter Evasion Cheat Sheet - OWASP

0
source

More articles:


All Articles