Secure ASP.NET coding practice for three most critical vulnerabilities in Web Application
Secure ASP.NET coding practice for 3 most critical vulnerabilities in Web Application
www.ivizsecurity.com
Somnath Guha Neogi (OSCP, CNSM)
Introduction: ASP.NET provides several exciting security controls, but these need to be understood properly and used wisely. Failing to use the ASP.NET functions properly results in an insecure web application. We see therefore that ASP.NET does not exempt the programmer from following coding standards and procedures in order to write safe and secure application code.
In this paper we will discuss about the code level mitigation for three most frequently found vulnerabilities:
Cross Site Scripting
SQL Injection
Information Leakage
Cross Site Scripting: An application is vulnerable to Cross Site Scripting if malicious user input is embedded in the HTML response without passing through any particular validation process. Let's take a look on a vulnerable chunk of code
<%@ Page ValidateRequest="false" %>
Text="SubmitComment" />
Now an attacker can send malicious request with embedded JavaScript through the comment textbox which will be executed at the client's browser. To see that this is possible, the above vulnerable script can be fed with the following input:
Now this type of script injection attack can be mitigated by adopting a two tire security approach. User input validation will form the first tire of security while HTML-encoding on outgoing user data will form a second layer of security. So we can start assuming that all user input is malicious and to safely allow restricted HTML input developers/testers should adopt three security approaches as follows:
a) Add the ValidateRequest="false" attribute to the @ Page directive to disable the ASP.NET request validation.
b) Encode the string input with HtmlEncode function.
c) White listing approach can be adopted by using a String Builder and calling its Replace method to selectively remove the encoding on the HTML elements that you want to permit.
The following .aspx code depicts this as an example.
<%@ Page ValidateRequest="false"%>
TextMode="MultiLine" Width="318px"
Height="168px">
Text="Submit" OnClick="submitbutton_Click" />
The above .aspx page code shows this approach. The page disables ASP.NET request validation by setting ValidateRequest="false". It HTML-encodes the input and then selectively allows the <b> and <i> HTML elements to support simple text formatting.
Now the second tire of security can be brought into the frame by encoding the output to know that the text contains HTML special characters or not.
Response.Write(HttpUtility.HtmlEncode(Request.Form["text"])); Or in case of URL strings that contain input to the client.
Response.Write(HttpUtility.UrlEncode(urlString));
As a result, the HTML response stream of the malicious input will look like this
This will ultimately restrict the browser to execute the Javascript code because no HTL
Comments
replica handbags, replica handbags uk, designer fake handbags
Our site offers a wide range of replica handbags in style, high quality leather and special design, especially prepared forwomen with good taste and elegance.
By replica handbags - Website
24th November 2011 - 2:17am
replica watches
Replica watches is a fashion house from France which is famous for its ready to wear, lifestyle accessories, perfumes and many more.
By replica watches - Website
15th December 2011 - 10:26pm
rolex replica watches
Rolex replica watches offer you the entire collection with exact look and same functions like water resistance, scratch resistance face, different colors and sizes. These watches give you the same feel of luxury watch and at the same time charge a minimum amount from your income. Rplex replica watches are the ideal imitations of branded watches as they work for long time and truly worth your money. These watches are very beautiful that add an extra ordinary look and charm to your overall personality.
By rolex replica watches - Website
15th December 2011 - 10:32pm
copy luxury handbags, cartier handbags
Louis Vuitton Handbags Chanel Handbags 3.1 Phillip Lim Handbags Alexander Wang Handbags Balenciaga Handbags Bottega Veneta Handbags Burberry Handbags Chloe Handbags Christian Dior Handbags Dolce
By Christian Dior Handbags - Website
25th February 2012 - 1:42am
|
Html Scripts News
www.helpvid.net http seoninjaforum.com ----------------------------- GET THE PHP SCRIPT HERE www.helpvid.net How to create a contact form in ...
youtube.com
Read more...
you can have more than 50 php cloned websites yes thats it over 50 all you need to do goto this link and download the file it will only take five ...
youtube.com
Read more...
Free Professional PHP Scripts - PopScript.com
youtube.com
Read more...
This tutorial is for learning purposes ! you can also visit my forum and post for help me to promovate it :) my forum is www.sys-masters.org is a ...
youtube.com
Read more...
Check this video out at Hi-Res here: www.tutvid.com Files are Located here: www.tutvid.com In the following tutorial we will start with a few html ...
youtube.com
Read more...
How do download/install/use WAMP so that you have a local web serveer on your PC. This allows you to easily manage your files and have mysql ...
youtube.com
Read more...
WEBSITE: betterphp.co.uk In this video I show you how to set up a Windows based system to be able to run a php script from the command prompt.
youtube.com
Read more...
|
