views:

248

answers:

4
A: 
  • User credentials are validated on each request, either GET or POST or other, to confirm the user authentication

  • Check user authorization (after checking authentication) for each sensitive operation

  • Watch out output caching, especially if you implement your own membership system

Developer Art
A: 

Sticking mostly to MVC-specific stuff:

  • In ASP.NET 4, understand <%: and MvcHtmlString.
  • Use HTML helpers when possible instead of raw HTML as it increases the chances you'll remember to encode (the helpers do it for you)
  • Analyze all uses of JsonRequestBehavior.AllowGet to ensure it cannot return an array.
  • Don't reinvent anything security-related. Use proven, maintained, off-the-shelf implementations.
  • Don't leak security information in robots.txt
Craig Stuntz
Good points! Should we say that JsonRequestBehavior.AllowGet shouldn't be used at all due to http://haacked.com/archive/2009/06/25/json-hijacking.aspx?
andreister
No. It's fine when you return a non-array as the root object.
Craig Stuntz
A: 

Make sure you don't blindly bind form data to your model by always using TryUpdateModel<T> over TryUpdateModel.

Martijn Laarman
A: 

To add to the list:

Black: DoS attacks - employ tinyget or similar to simulate DoS attacks, see what your app does.

Black: Canonicalization attacks. Mentioned a bit, may be special focus can be on a directory traversal attack in case of downloads.

White: Usage of cookies for the sensitive info? See cookies are not used for sensitive data and are not persisted locally over the intented interval. Black: Sniff in the temp IE/XYZ folder for cookies.

Black: Again, use scripted tinyget or try manually to see if brute force password guess would work or if you app has smart delays/denials for a password guess attacks.

Black: Do any of the attacks and see if admin is notified automatically of the attack or it is only the attacker who knows about it.

"Make sure your security decisions do not rely on HTTP headers info" - http headers are used for ntml/kerberos authentication? May be just don't use them stupidly, don't invent or rely on referer, etc?

General: Employ a commercial black/white-box security scanner, can be expensive but can be hard to do security regression tests otherwise.

Stan D.