I'm a bit behind the times when it comes to website security. I know the basics - validate all incoming data, escape data being saved to the db, use a salt for passwords, etc. But I feel like there's a lot I'm missing that can bite me in the butt. This is especially true with my slow migration to .NET. I'm just not sure how to replicate what I know in PHP in .NET. So, below are some things I've been thinking about that I'm sure I need help with.
Problem: Securing sessions
PHP: Use session_regenerate_id() whenever a user does something important.
.NET: No idea how to replicate that here.
General: What else am I missing?
Problem: XSS
PHP: Use htmlentities() to convert potentially dangerous code into something that can be rendered (mostly) harmlessly.
.NET: I believe in MVC, using <%: %> tags in a view does the same thing.
General: Is there more I can do to block JavaScript? What about denying HTML entirely? How would one secure a textarea?
Problem: Remote Execution
PHP: Use regEx to find and remove eval() function calls.
.NET: Unsurprisingly, no idea.
General: Again, is there more I should look for?
Problem: Directory Traversal (probably related to the above)
I'm just not sure how worried I should be about this. Nor am I sure how to block it.
Suggestions, links to articles (with code examples), etc. are most welcome, and would be greatly appreciated.