Hacking the Code ASP.NET Web Application Security [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

Hacking the Code ASP.NET Web Application Security [Electronic resources] - نسخه متنی

James C. Foster, Mark M. Burnett

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید






Coding Standards Fast Track



Establishing User Credentials


Enforcing Strong Passwords




Access a password form field only once to validate it and assign it to a variable. After that use only the validated variable.



Use a standard function to check password complexity requirements.



Avoiding Easily Guessed Credentials




All temporary passwords should have a short expiration period or should be marked as already expired, forcing the user to change the password.



Preventing Credential Harvesting




Never place the username on the URL’s query string.



Avoid user directories or other methods that others could use to harvest usernames.



Do not automatically generate usernames or account IDs.




Managing Passwords


Storing Passwords




Always use well-established hashing algorithms, such as those included with the System.Security.Cryptography class.



Centralize all encryption code so that you can easily change algorithms and/or keys.



Password Aging and Password Histories




Always check the password age immediately after authenticating the user.



Changing Passwords




Password changes should be on a page of their own and accept the old password as well as the new password in a single step.



Expire all user sessions immediately after changing a user’s password, requiring the user to reauthenticate.




Resetting Lost or Forgotten Passwords


Resetting Passwords




Treat lost passwords as a security event, taking measures such as logging event details, including client IP address.



Carefully manage session state throughout the reset process; do not track session account identifiers on hidden form fields or query strings.



Sending Information Via E-Mail




Never send sensitive information via e-mail.



If possible, use PGP or S/MIME to digitally sign and/or encrypt e-mail communications.



Assigning Temporary Passwords




If creating temporary passwords, use a strong random algorithm with sufficient entropy.



Using Secret Questions




Use questions with enough possible answers to prevent guessing or brute-force attacks.



Avoid questions for which many people will select the same common answers.




Empowering Users


Educating Users




Avoid long or overly complex URLs, especially at the application entry points such as a login screen.



/ 96