Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Coding Standards Fast Track



Handling Malicious Input


Identifying Input Sources




Always identify any source of user input, including all references to the Request object.



Carefully identify other indirect or less obvious sources of input.



Programming Defensively




Always assign filtered user input to variables to distinguish it from the raw data.



When using VB.NET, use Option Explicit and Option Strict.



Use centralized filtering functions on all user input.



Never use the generic Request collection when gathering user input.




Constraining Input


Bounds Checking




Use validator controls to validate form input if a page posts back to itself.



Never rely on client-side validation for security.



Pattern Matching




Use regular expressions either to block known bad data or allow only known good data.



Use regular expressions to identify malicious keywords or other patterns.



Data Reflecting




Reflect data using trusted system functions to prevent attacks such as directory traversal.



Always work with the reflected path in subsequent operations.



Encoding Data




Use HtmlEncode to encode a string for browser output.



Use UrlEncode to encode a URL string for output.



Use UrlPathEncode to encode the path portion of a URL for output.



Encapsulating




Use hashes to encapsulate data for safe handling.



Convert hashes to hex values to create safe alphanumeric strings.



Parameterizing




Use parameterizing to fix the context and scope of user data.



Combine parameterization with other techniques to prevent directory traversal.



Double Decoding




Use double decoding to detect multiple layers of encoding.



Reject all requests that contain more than one layer of encoding.



Syntax Checking




Check the final syntax of any string that is based on user input to be sure it matches the expected format.



Exception Handling




Take advantage of the robust error handling features in ASP.NET.



Check return results to be sure they are consistent with what you expected.



Honey Drops




Use honey drops in your database to detect SQL injection attacks.



Use honey drops in your file system to detect file system access.



Use honey drops in your source code to detect server-side code access.




Limiting Exposure to Malicious Input


Reducing the Attack Surface




Reduce the attack surface of the application to limit exposure to hackers.



Don’t show query string parameters if you do not use them in a particular context.



Remove testing, debug, and dead code from production applications.



If possible, use static content in application demos.



Limit access to administration or other private modules.



Remove sample code and programs from production servers.



Avoid or carefully audit third-party components.



Limiting Attack Scope




Use the principle of least privilege to limit the access of Web users.



Avoid storing passwords, private comments, or other sensitive information in server-side code.



Hardening Server Applications




Use the MaxRequestEntityAllowed and AspMaxRequestEntityAllowed metabase settings to limit overall length of a request.



Use the MaxFieldLength, MaxRequestBytes, UrlSegmentMaxLength, and UrlSegmentMaxCount registry settings to limit the length of specific parts of a request.



Use the EnableNonUTF8 and PercentUAllowed registry keys to limit valid characters in a request.



/ 96