Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Code Audit Fast Track


Writing Secure HTML


Constructing Safe HTML




Does the application send any dynamic output without first encoding it?



Does the application enforce a specific character set in the web.config file or on a per-page basis?



Does the application filter input and encode output with the DHTML innerHTML property, insertAdjacentElement method, insertAdjacentHTML method TEXTAREA element and TextArea object?



Could the programmers use innerText rather than innerHTML?



Do frame and iframe elements have the Security attribute set to restricted?



Do forms use GET when a POST would be more appropriate?



Do sensitive transactions require multiple steps, including user confirmation?



Do forms check the referer headers to verify the source of input?



Can users enter IMG or hyperlink tags to perform a CSRF attack?



Preventing Information Leaks




Does the HTML content contain employee names, e-mail addresses, phone numbers that could be used in a social engineering attack?



Do HTML meta tags reveal unnecessary information?



Does the HTML content contain any unnecessary comments?




Handling Exceptions


Using Structured Error Handling




Does the application use structured error handling to avoid the default ASP.NET error handler?



Do error handlers always fail securely?



Reporting and Logging Errors




Do errors reveal too much information?



Does the application use generic error handlers rather than the built-in error handlers?



Do log files contain user passwords, credit card numbers, or other sensitive information?



Are all debugging, tracing, and detailed error messages turned off in production applications?



/ 96