Coding Standards Fast Track
Handling Malicious Input
Identifying Input Sources
Always identify any source of user input, including all references to the Request object.
Carefully identify other indirect or less obvious sources of input.
Programming Defensively
Always assign filtered user input to variables to distinguish it from the raw data.
When using VB.NET, use Option Explicit and Option Strict.
Use centralized filtering functions on all user input.
Never use the generic Request collection when gathering user input.
Constraining Input
Bounds Checking
Use validator controls to validate form input if a page posts back to itself.
Never rely on client-side validation for security.
Pattern Matching
Use regular expressions either to block known bad data or allow only known good data.
Use regular expressions to identify malicious keywords or other patterns.
Data Reflecting
Reflect data using trusted system functions to prevent attacks such as directory traversal.
Always work with the reflected path in subsequent operations.
Encoding Data
Use HtmlEncode to encode a string for browser output.
Use UrlEncode to encode a URL string for output.
Use UrlPathEncode to encode the path portion of a URL for output.
Encapsulating
Use hashes to encapsulate data for safe handling.
Convert hashes to hex values to create safe alphanumeric strings.
Parameterizing
Use parameterizing to fix the context and scope of user data.
Combine parameterization with other techniques to prevent directory traversal.
Double Decoding
Use double decoding to detect multiple layers of encoding.
Reject all requests that contain more than one layer of encoding.
Syntax Checking
Check the final syntax of any string that is based on user input to be sure it matches the expected format.
Exception Handling
Take advantage of the robust error handling features in ASP.NET.
Check return results to be sure they are consistent with what you expected.
Honey Drops
Use honey drops in your database to detect SQL injection attacks.
Use honey drops in your file system to detect file system access.
Use honey drops in your source code to detect server-side code access.
Limiting Exposure to Malicious Input
Reducing the Attack Surface
Reduce the attack surface of the application to limit exposure to hackers.
Don’t show query string parameters if you do not use them in a particular context.
Remove testing, debug, and dead code from production applications.
If possible, use static content in application demos.
Limit access to administration or other private modules.
Remove sample code and programs from production servers.
Avoid or carefully audit third-party components.
Limiting Attack Scope
Use the principle of least privilege to limit the access of Web users.
Avoid storing passwords, private comments, or other sensitive information in server-side code.
Hardening Server Applications
Use the MaxRequestEntityAllowed and AspMaxRequestEntityAllowed metabase settings to limit overall length of a request.
Use the MaxFieldLength, MaxRequestBytes, UrlSegmentMaxLength, and UrlSegmentMaxCount registry settings to limit the length of specific parts of a request.
Use the EnableNonUTF8 and PercentUAllowed registry keys to limit valid characters in a request.