I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website.
Thanks.
+1
A:
I kinda do the following;
- Seperate my concerns. Admin in admin folder etc.
- [Authorize] on all actions that require you to be logged in.
- Html.Encode all data entry fields.
- ActionResult Create([Bind(Prefix = "", Exclude = "id")]MyModel newModelObject) <== exclude id's that can be used in an attack
Other than that...
griegs
2009-07-22 23:02:06
+5
A:
- As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
- Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
- Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
- When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through
<script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!) - When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
kastermester
2009-07-22 23:04:44
I like item 4. I don't think enough people do that relying on testers to do those sorts of tests.
griegs
2009-07-22 23:12:50
Heh me too, funnily enough this is the sort of thing that came to my mind when I had to think of what piece of advice I would give others - I can now see I need to do some self reflection on some of this...
kastermester
2009-07-22 23:22:52
Yeah I'm looking at all these comments thinking that I need to do exactly the same. :)
griegs
2009-07-22 23:26:51
Heh you just made my night - glad to know I'm not the only one!
kastermester
2009-07-22 23:41:40
+1
A:
The below are general ASP.NET measures
- Set Debug=false in web.config
- Turn on custom error
- Encrypt your cookies
- Validate all inputs
- Enable Request Validation
- Encode your output
Ramesh
2009-07-22 23:07:30
+1
A:
Don't use the default GET on actions unless absolutely necessary. For example, if you have a DeleteUser action that doesn't have a [AcceptVerbs(HttpVerbs.Post)] on it, it can be called via
<img src="http://yoursite/admin/DeleteUser/1" />
Which will get called by whomever "views" the image.
swilliams
2009-07-22 23:13:34
IMO If a hacker can inject an img tag into a page, It may not be difficult for him to inject JS which will do a post to the delete url. What do you think?
Ramesh
2009-07-22 23:16:21
Yes, which is why you follow @griegs's advice and [Authorize] sensitive stuff too :). [Authorize] alone won't work, since a user can be logged in (to most apps) without viewing the page.
swilliams
2009-07-22 23:29:20
Hmm, I got it, exposing GET Request can lead to cross domain XSRF across domain.
Ramesh
2009-07-22 23:57:40
Yeah as mentioned you definatly want to combine this (as in requiring a post, delete or some other header than get) with the anti XSRF helpers - besides that, this is a solid piece of advice.
kastermester
2009-07-23 13:53:59