Hi Kind contriutors to this forum,

Just wandering how secure the website is that i have written. I mean i have written code for a logon form and it prevents access to a section of the site that as it should. But i was wandering how else i should test the site. What I have done so far is tried to access the site URL directly with the URL then tried with the wrong password, and it does not work as it shouldnt. Are there any other ways to test site security that i do not know about, because i am about to go live with a similar site.

Hi Emmanuel,

Are you using code from the Book Professional ASP.NET 3.5: In C# and VB or is it your own code?

If its the book, can please you indicate the chapter and page so the guys can help you?

If its your own code, please post it so we have more info, as you haven't provided enough to get a meaningful answer. If isn't related to the book, it should go in the general discussion forum.

Dear Adam,

I havent looked at it for a while but it was an altered version of a login control on wrox beginning ASP.net 3.5 in C# and VB; taken from page 520 to page 554. My question is a general one about security but since then i have found out about some basic things like sql injection attacks and there are internet resources on how to protect against them. I would ideally like to find out about all the types of attacks that can happen to an asp.net login control and how i can protect against them, though this may be a tall order kind sir.

Dear Adam,

I havent looked at it for a while but it was an altered version of a login control on wrox beginning ASP.net 3.5 in C# and VB; taken from page 520 to page 554. My question is a general one about security but since then i have found out about some basic things like sql injection attacks and there are internet resources on how to protect against them. I would ideally like to find out about all the types of attacks that can happen to an asp.net login control and how i can protect against them, though this may be a tall order kind sir. I was using C#.

Most of the security issues with sql injection were with classic asp. With asp.net, there are more built-in protections against attacks. For example, variables are strongly typed, so an integer variable cannot accept a decimal or text and data sent to the sql server has be match the data type of the variable sending it.
Also, the use of special folders such as app_data with special built-in permissions - only visible to the asp.net process.
The use of login controls is something I believe improves security over having to code them yourself. They have been designed and bug tested very intensively. If you build the code yourself, you have to be a very good programmer to make anything as robust as the built in .net classes.

web.config should have
customerrors="true" so if a hacker breaks a page, he won't see the eact error message and therefore be able to see variable names etc.
and I use the Imar's sendmailonerror code - so I can see if a page is breaking - it could indicate an attack and therefore a vulnerability I can try to fix.
Some people advocate wrapping code that takes user input in

try

catch statements

But others say only to use it during development as it has a performance hit.

Hi Adam,
I will need to do some research to see exacltly how what you have said applies to my project. It is essentailly the same as the code in the book. I will have to try and find out about execptions and how they apply to my code. I dont remember Imars code appearing in the book which is sendmailonerror. Thanks for the kind reply but one more question. I only know of penetration testing and i wondered if the code in all the book concerning security had been penetration tested. Kind sir is that are you a member of the design team from wrox.

No, I'm a relative beginner too and only connection with wrox is that I own 3 books by them. I completed the beginning asp.net 3.5 book and have been working as a developer for 2-3 years using classic asp and about a year doing asp.net. I used to work for a company that was attacked quite heavily, although it was more denial of service than sql injection. We used to get a lot of mailforms that were used to relay spam, and this led to some of our customers domains getting blacklisted. I believe one of they key features of asp.net is that data from external sources can't be posted back to the application so this rules out this type of attack, which was a problem for classic asp.

I have a book on hacking which i will have to use before deploying any secure data. But thanks for the insight into some of the other strategies others can use maybe we can share knowledge on wrox. My website was for a church and some of the people have reached senior positions in the army and navy and were concerned about having an online contact management database with there names in IT.
I intend to steer clear of logins and forms for confidential data until i have a reasonable degree of potential attack knowledge. Please if you get the time could you direct me to any resources on the internet on hacking in asp.net and how to protect against it.

From my knowledge of the Network + and server+ i believe turning of ICMP broadcasts or (IP address broadcasts) could prevent someone from pinging an IP address and launching an attack based on it as a source address.

Thanks for your time.

Hello Contributor,

Just wondering if you tried a solution like www.sitelock.com on your website to avoid the attacks and still had issues or am i missing something.

Finally,

The url of sitelock with the anti spoof ip address spam source is http://www.sitelock.com/products.php
Though i cant see how to add you as a friend on this forum anymore