ASP.NET MVC Security Recommendations

Question

Hi,

I have recently started a personal project that uses ASP.NET MVC (RC1 at the time of writing). My background is traditional ASP.NET WebForms development.

My knowledge ASP.NET MVC is limited, so I would like your input on how to best approach authentication, input validation and protection against common attacks (XSS, XSRF, etc).

I’ll start by listing a few articles Stephen Walther posted on his blog:

• Tip #7 - Prevent JavaScript Injection Attacks with Html.Encode
• Tip #10 - Prevent URL Manipulation Attacks
• Tip #46 – Don’t use Delete Links because they create Security Holes

Validation:

• xVal Validation Framework

Thanks,
Arnie

Answer 1

Off the top of my head (and nowhere near complete)...

• Use the AntiForgeryToken on all forms to protect against XSRF. Use unit tests to make sure that all controller actions that accept POSTS are decorated with the ValidateAntiForgeryToken attribute.

• Make use of HtmlHelper extensions whereever possible to take advantage of automatic HTML encoding.

• Use an ORM with parameterized queries for all DB access -- not unique to MVC, but still relevant.

• Be restrictive in the HTTP verbs that you accept to the minimum required. Use DELETE (vi AJAX) or POST for delete actions.

• Use the AuthorizeAttribute, or an attribute derived from it, to protect non-public actions.

• Don't expose user ids/passwords in urls which might be cached (i.e., login via form POST rather than GET url). As always, use SSL for passing sensitive data.