Checklist of steps to secure asp.net web application? [closed]

Question

I would like to secure an ASP.NET web application against hacking. Is there a list of ASP.NET specific tasks specifically coding wise to make an ASP.NET more secure? Beyond what is mentioned on MSDN. I am interested in specific steps with code examples on ways to avoid cross site request forgeries & cross site scripting.

I know about using SQL parameters for sql injection, Windows authentication when connecting to SQL Server and validating form's input on the server.

Answer 1

From Microsoft-
http://msdn.microsoft.com/en-us/library/ms998249.aspx

A more detailed checklist-
http://technotes.towardsjob.com/dotnet/asp-net-developers-checklist-security-checklist/

Answer 2

Top Ten Security Threads
How To: Prevent Cross-Site Scripting in ASP.NET
How To: Protect From Injection Attacks in ASP.NET
How To: Protect From SQL Injection in ASP.NET
How To: Use Regular Expressions to Constrain Input in ASP.NET

After I reading above articles,
I summarized way of preventions by using asp.net technologies, and Entity Framework.

Injection Compliance
-Enable Asp.net request validation in asp.net web config file.
-Turn on custom error mode in asp.net web config file.
-Use server-side input validation controls to constrain inputs.
-Validate length, range, format and type for every inputs to system.
-Use strong data typing.
-Encode every free-text fields and unsafe output using HttpUtility.HtmlEncode.
-Validate file paths using System.IO.Path.GetFileName and System.IO.Path.GetFullPath.
-Use Request.MapPath to map a supplied virtual path to a physical path on the server.
-Prevent SQL injection attack by using Linq to Entities query syntax.

Broken Authentication and Session Management Compliance
-Use salted hash method for user's sensitive data.
-Use SSL/TLS protocol for every credentials data.
-Defined session timeout properly.

Cross-Site Scripting (XSS) Compliance
-Use regular expressions to constrain critical input fields in ASP.NET.
-Use ASP.net RegularExpressionValidator and RangeValidator to constrain server side input controls.
-Encode every inputs from the user or from other sources such as databases.

Insecure Direct Object References Compliance
-Give only specific user/group access your project and its related folders.

Security Misconfiguration Compliance
-Show only custom error message to user.

Sensitive Data Exposure Compliance
-Use modern cryptographic algorithms to encrypt all sensitive data.

Missing Function Level Access Control Compliance
-Make sure that your system menu and program list are populated based on user authorization level.
-Make sure that your system check before response to user request if it is valid for him\her.

Cross-Site Request Forgery (CSRF) Compliance
-Use CAPTCHA Image to ensure that the request is not generated by a computer.
-Use CSRF Token to ensure that the specific page which sent request(s) to your sever is created only by your server.

Using Known Vulnerable Components Compliance
-Always keep components/libraries update.

Unvalidated Redirects and Forwards Compliance
-Make sure that your system always check if URL and its parameters are valid or not, before it is redirected.

Answer 3

The OWASP (Open Web Application Security Project) have a convenient list of the top 10 Web Application vulnerabilities: http://www.owasp.org/index.php/Top_10_2007

Here is a Microsoft Anti-Cross Site Scripting Library 1.5 tutorial: http://msdn.microsoft.com/en-us/library/aa973813.aspx

Here's a very informative, although not very well-known security resource, the ASP.NET 2.0 Internet Secure Reference Implementation - basically Patterns & Practices: http://code.msdn.microsoft.com/ASPNETv2RefImp

Last but not least, here's a video on the Architecture Behind CAT.NET: http://channel9.msdn.com/posts/Jossie/Architecture-behind-CATNET/

Download the latest build of the CAT.NET tool here (32 and 64 bit): http://bit.ly/164BlV