Wrox Programmer Forums
| Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 4.5 : in C# and VB
This is the forum to discuss the Wrox book Beginning ASP.NET 4.5: in C# and VB by Imar Spaanjaars; ISBN: 978-1-118-31180-6
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 4.5 : in C# and VB section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
  #1 (permalink)  
Old July 24th, 2014, 10:11 PM
Registered User
Points: 28, Level: 1
Points: 28, Level: 1 Points: 28, Level: 1 Points: 28, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2014
Posts: 6
Thanks: 0
Thanked 0 Times in 0 Posts
Default ASP.Net Security

I was watching a couple computerphile videos on youtube, specifically the javascript and SQL injection videos, and that had me wondering, does ASP.Net take care of these security concerns, or do we need to handle it?

I have a website i'm developing that had a 'contact us' page that was similarly designed to the one in the book, so I tried putting in:
Code:
<script>alert("Vulnerability Detected");</script>
IE and VS throw an exception that catches the threat, but i'm not entirely convinced that my website will be safe in a live environment.

I found that I can (in my contact form) set ValidateRequestMode to disabled and then sanitize all of the input using HttpUtility.HtmlEncode(). So, I know this works when I specifically write code to prevent security threats, but does ASP.Net catch other vulnerabilties that I miss?

I'm still reading through the Database chapters, so I don't know if we will have a text box whose value is sent to a database, but is there some protection for them, or do we have to 'manually' check the text for malicious intent?

Here are the videos that I was referring to:
Cross Site Request Forgery (javascript injection)
Hacking Websites with SQL Injection
  #2 (permalink)  
Old July 26th, 2014, 08:09 AM
Imar's Avatar
Wrox Author
Points: 70,322, Level: 100
Points: 70,322, Level: 100 Points: 70,322, Level: 100 Points: 70,322, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,576 Times in 1,552 Posts
Default

Hi there,

It's a broad topic, but yes, ASP.NET has support for this. Various encoding methods, the colon to output content,l request validation and more can help make your applications secure. However, it doesn't prevent all possible scenarios out of the box, so you'll need to be careful yourself as well.

For SQL Injection: it depends. Entity Framework is safe in general as the underlying technology uses parameterized queries. Sames is true for ADO.NET: it has support for parameterized queries. However, it's also possible to write unsafe code if you accept input from a user and inject it in a SQL statement directly.

This article might be a good start: http://msdn.microsoft.com/en-us/magazine/hh708755.aspx, but Google has a lot more information about the subject.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
  #3 (permalink)  
Old July 29th, 2014, 02:40 AM
Friend of Wrox
Points: 528, Level: 8
Points: 528, Level: 8 Points: 528, Level: 8 Points: 528, Level: 8
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Feb 2014
Posts: 136
Thanks: 1
Thanked 10 Times in 10 Posts
Default

I agree with Imar ASP.net 2.0 and above has some safegaurd with input validation. But, I would not leave it to ASP.net to make your websites secure. You must employ techniques that safeguard your applications. Just a few but not limited to are: you application regardless of input should be aware of its own input, meaning it should validate all input for exactly what you are expecting. Validation should occur at a minimum on the client side, it is recommended to do both client and server side. It is also good practice before rendering output such as label, textboxes, and bindable data displays to html encode persisted or pass through data, pass through mean it is enter on a UI and after post back is displayed on a UI. This helps guard against cross site scripting. Never and repeat never create SQL where you are concatating a base SQL statement with inputs from a UI, this will infect your site with SQL injection, always use frameworks like entity frame work or parameterized SQL commands. In short it takes a bit of reading on web exploits and for you to develop a set of practices that can safe guard you


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASP.NET site security SillyPants ASP.NET 4 General Discussion 0 December 14th, 2011 05:25 PM
Security in ASP.NET sanjibsinha BOOK: Beginning ASP.NET Security 4 June 25th, 2010 09:00 AM
Security In Asp.net 2.0 mallikalapati ASP.NET 2.0 Professional 2 February 11th, 2008 10:15 AM
Integrating Security with ASP and ASP.NET thenoseknows ASP.NET 2.0 Professional 1 July 25th, 2007 05:11 PM
ASP.NET Security unclehughie Wrox Book Feedback 0 July 16th, 2003 03:45 PM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.