I have been doing a fair share of security related audits and programming over the last few years, and the following is a list of my favorite faux pas.
I always feel that giving specific details of errors encountered on your site is a sure fire way to attract trouble. So my first defensive tip is to always use custom error pages.
"On" defaultRedirect="YourErrorPage.htm" />
Secondly, always ensure that you are capturing application level errors in your application, there are many errors that do not show up within any error handling that you place at the web form level.
void Application_Error(object sender, EventArgs e) { //get reference to the source of the exception chain Exception ex = Server.GetLastError().GetBaseException(); //log the details of the exception! EventLog.WriteEntry("PoppaString", "MESSAGE: " + ex.Message + "\nSOURCE: " + ex.Source + "\nFORM: " + Request.Form.ToString() + "\nQUERYSTRING: " + Request.QueryString.ToString() + "\nTARGETSITE: " + ex.TargetSite + "\nSTACKTRACE: " + ex.StackTrace, EventLogEntryType.Error); }
The threat of cross site scripting is real one and could performed in a variety of ways. While most developers tend to check for text input validation I have also seen omission in the the validation of cookies and URLs, these inputs are as open to attack and should be validated before using.
HttpUtility.HtmlEncode(Request.Form["name"]);
note: This is by no means an exhaustive list and is really only meant to represent a few low hanging fruit in coding securely for ASP.NET.
Comments are closed.