Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

Coding Standards Fast Track

Handling Malicious Input

Identifying Input Sources

Always identify any source of user input, including all references to the Request object.

Carefully identify other indirect or less obvious sources of input.

Programming Defensively

Always assign filtered user input to variables to distinguish it from the raw data.

When using VB.NET, use Option Explicit and Option Strict.

Use centralized filtering functions on all user input.

Never use the generic Request collection when gathering user input.

Constraining Input

Bounds Checking

Use validator controls to validate form input if a page posts back to itself.

Never rely on client-side validation for security.

Pattern Matching

Use regular expressions either to block known bad data or allow only known good data.

Use regular expressions to identify malicious keywords or other patterns.

Data Reflecting

Reflect data using trusted system functions to prevent attacks such as directory traversal.

Always work with the reflected path in subsequent operations.

Encoding Data

Use HtmlEncode to encode a string for browser output.

Use UrlEncode to encode a URL string for output.

Use UrlPathEncode to encode the path portion of a URL for output.

Encapsulating

Use hashes to encapsulate data for safe handling.

Convert hashes to hex values to create safe alphanumeric strings.

Parameterizing

Use parameterizing to fix the context and scope of user data.

Combine parameterization with other techniques to prevent directory traversal.

Double Decoding

Use double decoding to detect multiple layers of encoding.

Reject all requests that contain more than one layer of encoding.

Syntax Checking

Check the final syntax of any string that is based on user input to be sure it matches the expected format.

Exception Handling

Take advantage of the robust error handling features in ASP.NET.

Check return results to be sure they are consistent with what you expected.

Honey Drops

Use honey drops in your database to detect SQL injection attacks.

Use honey drops in your file system to detect file system access.

Use honey drops in your source code to detect server-side code access.

Limiting Exposure to Malicious Input

Reducing the Attack Surface

Reduce the attack surface of the application to limit exposure to hackers.

Don’t show query string parameters if you do not use them in a particular context.

Remove testing, debug, and dead code from production applications.

If possible, use static content in application demos.

Limit access to administration or other private modules.

Remove sample code and programs from production servers.

Avoid or carefully audit third-party components.

Limiting Attack Scope

Use the principle of least privilege to limit the access of Web users.

Avoid storing passwords, private comments, or other sensitive information in server-side code.

Hardening Server Applications

Use the MaxRequestEntityAllowed and AspMaxRequestEntityAllowed metabase settings to limit overall length of a request.

Use the MaxFieldLength, MaxRequestBytes, UrlSegmentMaxLength, and UrlSegmentMaxCount registry settings to limit the length of specific parts of a request.

Use the EnableNonUTF8 and PercentUAllowed registry keys to limit valid characters in a request.