tags:

views:

98

answers:

2
+2  Q: 

Which ASP.NET commands can lead to insecure code?

Personally, I try and write secure ASP.NET code. However, I have become quite paranoid about the code I write, as I used to work for a Registrar (high fraud targets). Are there any ASP.NET functions I should look at with extreme scrutiny (other than SQL access - I know enough not to do dynamic SQL).

+4  A: 

This is an excellent MSDN article: Security Practices: ASP.NET 2.0 Security Practices at a Glance.

Excerpt:

How to prevent cross site scripting

Validate input and encode output. Constrain input by validating it for type, length, format, and range. Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user, such as input from form fields, query strings, and cookies or from other sources, such as databases. Never just echo input back to the user without validating and/or encoding the data. The following example shows how to encode a form field. 

Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));

If you return URL strings that contain input to the client, use the HttpUtility.UrlEncode method to encode these URL strings, as shown here. 

Response.Write(HttpUtility.UrlEncode(urlString));

If you have pages that need to accept a range of HTML elements, such as through some kind of rich text input field, you must disable ASP.NET request validation for the page.

Turn On Custom Errors To Keep Errors Private

<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
Mitch Wheat  2009-07-19 03:06:34
Thanks Mitch! I appreciate your response, however... the response you have given leads me to believe that this is a countermeasure for either unescaped SQL or for non-DB driven code. Reason being that it's all user-input storage based.Also, URLEncoding things tends to "over-encode" in my experience, because it has to subscribe to URL encoding rules (very strict).Also, with ASP.NET I try to avoid any Response.Writes. I find the ASP.NET code-infront controls give much better structural awareness to my HTML.I'll give you +1 though, because you are still technically valid :)
Thunder3  2009-07-19 03:15:08
A: 

Never trust user input. Never assume client-side validation will prevent bad input data. Always ensure that ValidateRequest="true" and EnableEventValidation="true" in your web.config :

See Request Validation and ASP.NET Security Tutorials.

Dan Diplo  2009-07-19 14:52:07

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP