Securing an ASP.Net MVC Site

Question

As a relative newcomer to both web and MVC, I am looking for a good summary of security best practices that I should implement.

The site will be public facing with "moderately sensitive data" (meaning we can't get sued, but probably wouldn't make many friends if the data got out!) and will have the following security steps taken: a: Forms/membership authentication and authorization b: Parameterized queries to prevent sql injection. c: Automatic timeout with x min of inactivity c: SSL for client to server encryption

What else do you recommend?

*Securing IIS and the network don't fall under my domain, so I'm more interested in the things I need to do to the software.

Answer 1

• If you are using cookies to recognize users, be sure to use an arbitrary token (such as a GUID) to store on the client for identification. I've seen too many websites that store my email address or username in my cookie... just have to change it to another!

• Write your software so that it can run under medium trust.

Answer 2

If you are new to web development you should be aware of cross site scripting (XSS). You can use Http.Encode helper method to protect against this in ASP.NET MVC.

Answer 3

Here's another biggie to watch out for: CSRF

http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Answer 4

Take a look at this post by Phil Haack- one of the MS dev’s involved in the development.

Additionally take a look at Microsoft Anti-Cross Site Scripting Library to filter out all incoming parameters

Answer 5

1. Maybe you should choose methods that can be invoke from outside or not. For example be careful make a method like delete any tables like http://yourhost.com/edit/deletealltable. Make sure you design your class and methods well. And give attributes [NonAction] for preventing public method being invoke.

2. Make sure you display data (especially sensitive) as you need with minimum fancy design and use client script as long as needed.

3. Remove any unused trash files like unused files in your solution folder.

4. Check and double check and validate any input control like textbox. I just can give something in the textbox to hack your system.
5. If you use mix between MVC and regular ASP.NET, please remove any dependency between them.

Answer 6

Be sure you cover the basics thoroughly, independently of ASP.NET. Make sure your DBMS has a separate user with the minimal required privileges (e.g., CRUD and executing sprocs from specified databases) set up to access the database from the web application. Parameterizing queries is an excellent idea, but ALWAYS SCRUB YOUR INPUT ANYWAY: it is not a complete defense against sql injection.

Keep your design clean and easy to understand. Document whatever you do clearly, especially on the database side. It would be very bad if all your good work were destroyed by two programmers months or years later--one who didn't realize, say, that the database user for the web application (now accessing a database on a different server) shouldn't have root privileges, and another who added a control that didn't cleanse input properly. There's only so much that can be done about this sort of thing, but designing for the possibility that fools will be maintaining your code isn't so that coders will think you're sweet--it's so that fools won't put you out of business.

Answer 7

Make sure you prevent out of order requests. Ensure client is authenticated before allowing to see sensitive data, or in some cases, make sure the client has come through the correct channel, before allowing a data manipulation. For example, only allow adding an item to your cart if the request came from the product details page. If you don't check, any one can mess around with the action. The URL would be like http://server/cart/add/XYZ123 and anyone could just tweak the 'id' parameter.