发表新帖
发表新帖

Securing ASP.NET MVC Application Checklist

后端 未结
关注
4 1332
轻奢々
轻奢々 2021-02-02 03:14

I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvi

相关标签:
4条回答
  • 深忆病人
    2021-02-02 03:51
    1. As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
    2. Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
    3. Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
    4. When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through <script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!)
    5. When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
    0 讨论(0)
  • 情歌与酒
    2021-02-02 03:52

    Don't use the default GET on actions unless absolutely necessary. For example, if you have a DeleteUser action that doesn't have a [AcceptVerbs(HttpVerbs.Post)] on it, it can be called via 

    <img src="http://yoursite/admin/DeleteUser/1" />

    Which will get called by whomever "views" the image.

    0 讨论(0)
  • 自闭症患者
    2021-02-02 04:12

    I kinda do the following;

    1. Seperate my concerns. Admin in admin folder etc.
    2. [Authorize] on all actions that require you to be logged in.
    3. Html.Encode all data entry fields.
    4. ActionResult Create([Bind(Prefix = "", Exclude = "id")]MyModel newModelObject) <== exclude id's that can be used in an attack

    Other than that...

    0 讨论(0)
  • 一生所求
    2021-02-02 04:17

    The below are general ASP.NET measures

    1. Set Debug=false in web.config
    2. Turn on custom error
    3. Encrypt your cookies
    4. Validate all inputs
    5. Enable Request Validation
    6. Encode your output
    0 讨论(0)
 看不清?
提交回复
热议问题