I was watching a couple computerphile videos on youtube, specifically the javascript and SQL injection videos, and that had me wondering, does ASP.Net take care of these security concerns, or do we need to handle it?
I have a website i'm developing that had a 'contact us' page that was similarly designed to the one in the book, so I tried putting in:
Code:
<script>alert("Vulnerability Detected");</script>
IE and VS throw an exception that catches the threat, but i'm not entirely convinced that my website will be safe in a live environment.
I found that I can (in my contact form) set ValidateRequestMode to disabled and then sanitize all of the input using HttpUtility.HtmlEncode(). So, I know this works when I specifically write code to prevent security threats, but does ASP.Net catch other vulnerabilties that I miss?
I'm still reading through the Database chapters, so I don't know if we will have a text box whose value is sent to a database, but is there some protection for them, or do we have to 'manually' check the text for malicious intent?
Here are the videos that I was referring to:
Cross Site Request Forgery (javascript injection)
Hacking Websites with SQL Injection