Website security pitfalls and what can I do in ASP.NET MVC to avoid/mitigate them?

Question

I've just started working on implementing my first public-facing website. Since I'm new to this, I think if a list of common pitfalls, what they are, and how to avoid them is warranted.

I'm looking for things like:

• SQL injection (I know this one, but if anyone knows of tools to analyse a website for injection vulnerabilities, that'd be useful).
• Incorrect storage of passwords. I know I should use salt. What facilities does ASP.NET MVC provide for me to do this?
• Login rate limiting (Jeff mentioned it on Coding Horror today). How would I implement this in ASP.NET MVC? Can I do this with the standard Membership Provider implementation?
• What exactly is XSS and what tools are in the ASP.NET MVC toolbox for avoiding it?
• etc.

If a topic has been dealt with in another question, a quick summary and a link to that question would be a good idea.

Answer 1

• SQL injection - Use parameterized queries! If you are using the StringBuilder class or string concatenation to build SQL queries, you're most likely vulnerable to SQL injection.
• XSS - provided you use MVC helpers like =Html.Encode(yourPossibleCompromisedData) to render data to your page you should be fine. these helpers are designed to stop injected code being executed on the browser. ASP.NET also has form protection stopping malicious code from being posted to your actions (this is not MVC but aspnet itself).
• Incorrect storage of passwords. Use the built-in aspnet Membership provider - it uses good patterns (salt..) to store passwords etc.
• Login rate limiting - i believe there are contrib projects that are available to mitigate this (if the built-in provider does not already do it)
• What exactly is XSS and what tools are in the ASP.NET MVC toolbox for avoiding it? read: XSS. MVC 1.0 provides the =Html.ValidationSummary() hidden field for forms so to mitigate cross-site scripting.