لطفا منتظر باشید ...
Chapter 7: Developing Secure ASP.NET Applications
Introduction
Although much of your security effort is focused on the mechanics of your application and code that runs on the server, you should also consider the HTML content you send to client browsers. Throughout this book we have covered topics such as managing and authenticating users, using encryption, accessing data, and filtering input. But even after following all the recommendations in this book, poor HTML coding practices can provide attackers with sensitive information and even put your users at risk. Although this might not be a big issue for some web sites, it is a serious issue for large sites with substantial community involvement such as Yahoo! or eBay.While you have no control over the user’s browser and have little influence over the decisions they make, the content you produce can limit user exposure to these threats.
Understanding the Threats
Some of the threats covered in this chapter are:
Cross site scripting (XXS) Injecting HTML or script commands, causing the Web application to attack other users
Cross-site request forgery (CSRF) Exploiting a site’s trust of a user to perform a transaction in behalf of the user
Information leakage Intentionally sending invalid input to produce error messages with information that may facilitate an attack
Social engineering Using a hacker’s social skills to extract information from or otherwise manipulate employees or other trusted individuals at a target organization.
Repudiation The ability for a user to deny having taken an action or performed a transaction.
