Geek Answers Handbook

Acceptable Security: Disable ValidateRequest with Parameterized SQL and HTML Strings?

I try to make sure that my ASP.NET ASP.NET application is as safe as possible, it only accepts and stores user input data into the SQL database (ordinary things) with login, therefore it is not accessible to the general public.

By disabling ValidateRequest for input pages, I appreciate the risk of XSS attacks. All SQL queries are parameterized, so they are safe for SQL Injection (right?).

Instead of using the Anti-XSS library, can I just use HTMLencode to enter text? Do I then HTMLencode d string?

Or am I looking at it wrong? Should I store user input verbatim, and then HTMLencode or XSS-HTMLencode anytime it is output to the browser?

+7
source share
2 answers

OK, reading around it seems like a common wisdom is to keep the input verbatim, never adjust anything, just parameterize it to protect against SQL injection.

Some good comments here: What are the best methods to prevent xss attacks on a PHP site

Then either HTML Encode (seems vunerable) or use the XSS library to encode the output. As stated in the link above, the destination for the data may not be a browser at some later point.

Then, using an example of XSS attacks here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet enter some of this data into the database and return it to the browser. With the right encoding, you should see the text and not execute the script.

+3
source

Considering that the Injection and XSS attacks contain the first two places in OWASP top 10 , you have to be very careful, then you will disable request checking in asp.net.

First, do not disable request validation if it is really necessary. You have a reason to do this. Request validation is a proprietary mechanism against attacks such as XSS.

The second always does a white list check for all input fields, which allows only acceptable charters to be passed.

There will be cases, then you will need to skip characters like '<' or '>', which is potentially dangerous.

Thus, you should always code the output if you display it on the page. Always. This will prevent JavaScript from executing (if it was inserted into the input).

Parameterized queries should be used in conjunction with the aforementioned validation and whitelisting encoding to prevent attacks on SQL injection.

Also, do not create a dynamic query construct (dynamic sql) inside the sql stored procedure.

And make sure that all database users and sql stored procedures have an appropriate level of access to database resources (minimal approach to access rights).

+1
source

More articles:


All Articles