Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Securing ASP.NET MVC Application Checklist

Tags:

security

asp.net-mvc

I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website.

Thanks.

like image 754
Lukasz Avatar asked Jul 22 '09 22:07

Lukasz

People also ask

Is ASP.NET MVC secure?

ASP.NET will see the cookie and know that the user is already authenticated and does not need to sign on again. Note: Word of warning, SSL is required to make Forms authentications secure. If you are running the application over http, anybody snooping the network can see the users credentials.

What are the 3 main components of an ASP.NET MVC application?

The Model-View-Controller (MVC) architectural pattern separates an application into three main components: the model, the view, and the controller. The ASP.NET MVC framework provides an alternative to the ASP.NET Web Forms pattern for creating MVC-based Web applications.

How to make your ASP NET Core MVC code secure?

We are new to the .NET Core Framework and we are using it for developing production applications, but when we develop a production application, we must also think of security. So, in this article, we will run through 10 points which will help us to make our ASP.NET Core MVC code secure. 1. Broken Authentication and Session Management

How to configure authentication in MVC with MVC?

Let’s create a new ASP.Net MVC application. Click OK to continue. When you start a new ASP.NET application, one of the steps in the process is configuring the authentication services for application needs. Select MVC template and you will see that the Change Authentication button is now enabled.

How many points to secure your ASP NET MVC applications?

10 Points to Secure Your ASP.NET MVC Applications. I really like your content to make site secure, I also a developer but I never think like you to make site safer. great thanks for your content, it will helped me a lot.

What's new in ASP NET MVC 4?

ASP.NET MVC 4 added a great new feature that lets you override the default ASP HTML encoder, and you can use the AntiXSS encoder in its place. As of this writing, you need version 4.1; because it’s currently in beta, you must download the code, compile it and add the library as a reference to your application—which takes all of five minutes.

2 Answers

  1. As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
  2. Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
  3. Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
  4. When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through <script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!)
  5. When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
like image 180
kastermester Avatar answered Oct 19 '22 23:10

kastermester

I kinda do the following;

  1. Seperate my concerns. Admin in admin folder etc.
  2. [Authorize] on all actions that require you to be logged in.
  3. Html.Encode all data entry fields.
  4. ActionResult Create([Bind(Prefix = "", Exclude = "id")]MyModel newModelObject) <== exclude id's that can be used in an attack

Other than that...

like image 37
griegs Avatar answered Oct 19 '22 21:10

griegs
Sign in to Comment

Related questions

MVC 6 WebFarm: The antiforgery token could not be decrypted
Asp.net mvc identity SecurityStamp signout everywhere
Upload file and validate file extension and file size MVC 5
How to stop or start Windows Service in C# mvc?
Convert a file path to a URL in asp.net core
ASP.NET MVC Core how to get application supported culture list
Changing parts of view dynamically based on controller response
How can I protect controller actions in an MVC app that doesn't contain a db or user data?
Return response with errors instead of throwing exception in validation pipeline mediatr 3
Net Core Connection String Dapper visual studio 2017
C# Twilio retrieve composition media
How to Use Configuration with ValidateDataAnnotations
Which constructor will be called when registering services in ConfigureServices
Can you recommend alternative FileUpload control for asp.net-mvc?
Converting from Web Forms to MVC
Currency Library [closed]
How can I Unit-test the behaviour of the HandleError attribute for a controller method?
Default.aspx not getting executed in ASP.NET project with MVC sections
How to integrate axd (Elmah) as component in ASP.NET MVC site
Connection string in unit test project to reference database in app_data folder

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!