. Net developers often make six major security errors

Industry analysts estimate that more than 70% of security vulnerabilities are discovered in applications, most of which are caused by security defects in the code.

Microsoft already. the. Net environment has added a large number of features to help developers create secure applications. For example, identity authentication has become a feature integrated in the development environment. In addition, by default, debugging messages are disabled. Microsoft's security concerns have greatly affected developers and prompted them to reevaluate the importance of security protection during software development.

However, it is a pity that everyone can do well. According to the customer service records from SPI Dynamics,. Net developers often make the following six security errors:

1. Security is not taken into account during development.

If the code is securely encoded throughout the application development process, the development cycle and cost will be minimized. In addition, security development practices will make applications more stable and have fewer errors. However, if security is not considered, security is not considered until the QA or user acceptance phase in the product lifecycle, it is likely to cause rework, delayed delivery, and eventually overspending costs.

2. SQL Injection

SQL injection is used to submit SQL code that is not intended by developers to applications. These SQL codes are often sinister. If Web applications are not strictly controlled, they will be passed to the database, generally, databases cannot identify whether SQL statements are malicious. They only execute the commands they receive.

For example, when developers do not protect the potential for malicious character input, attackers can forge SQL strings and expose System and Application access directly to attackers.

3. Cross-Site Scripting

XSS is generated by user input and returns useful information to users, cross-site scripting (XSS) or CSS attacks may occur when a dynamically generated webpage shows no verified input. In this way, attackers can insert malicious JavaScript code into the generated page, the machine on which the user accesses the page executes malicious JavaScript code.

Attackers may obtain confidential information, manipulate or steal cookies, create an error request for a valid user, or execute malicious code on the end user system.

4. Use user input as the file name

Developers often use a parameter to determine which files should be displayed to end users. For example, myPageGenerator. aspx? Templateappswelcome.html.

To use this function, the key is to ensure that the requested file is in the correct folder. Attackers can modify the query string to access files that cannot be accessed.

Attacker example: myPageGenerator. aspx? Template =.../../boot. ini.

5. Use cookies and hide parameters in different regions

Developers often store information in cookies and hidden parameters. Cookies are a piece of information sent from the server to the client browser's HTTP message header, hidden parameters are the control names and values hidden in HTML forms. Many Web servers use cookies to store session tokens and other session-based tokens.

Common Errors include product pricing, credit card numbers, accounts, and other key information stored in cookies and hidden parameters. Developers must remember that attackers can easily modify cookies.

6. Enable debugging in the Web. config file.

In the Web. config file Some settings. the application should not display the detailed error information to the end user. Instead, it should display a "friendly" message to the user, it indicates that the website has encountered technical difficulties and does not display any technical details. Attackers can obtain a large amount of useful information from the error information. Enabling detailed error messages in ASP. NET applications is the biggest security issue.

The following table shows the valid settings:

Table 1

The description is taken from the default Web. config file generated by Visual Studio. Net.

Summary

Whether or not security vulnerabilities are disclosed, attackers can access your sensitive data, which is a fact that should attract the attention of the company, shareholders, and most important customers. SPI Dynamics found that most companies are very cautious about the security of their own applications. It seems that application security issues will remain the preferred target for attackers in the future.

Bkjia.com exclusive translation. For more information, see the source and author !]

1. How to Use the Nikto vulnerability scan tool to detect Website Security
2. Cross-Site Scripting Vulnerability Detected on Yahoo HotJobs website