Common security problems and solutions for ASP.

Common Security problems and solutions for ASP.

A. CSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site) Detailed Description:http://imroot.diandian.com/post/2010-11-21/40031442584 Example: Landed on the attack site to send a request to a secure site. Solution: Use the @Html. AntiForgeryToken () In view and add the [Validateantiforgerytoken] attribute on the action. When you point to a cross-domain request again: "The required anti-forgery cookie" __requestverificationtoken "is not present." two. XSS (XSS attack: Cross site Scripting), which is not confused with the abbreviation for Cascading style sheets (cascading style Sheets, CSS). Therefore, the cross-site scripting attack is abbreviated as XSS. )Solution: Divided into Html, JS, url three major areas. The input/output encoding needs to be treated differently. Html using Server.HTMLEncode, Server.htmldecode; URL using Server.URLEncode, Server.urldecode;   JS use: Escape, unescape;  Or use the ANTI-XSS library. : http://www.microsoft.com/en-us/download/details.aspx?id=28589 introduced, HTML, JS, url corresponding to the method HtmlEncode (string), Javascriptencodes (String), UrlEncode (String). three. Direct object ReferenceExample:/bidding/rfprfi/detail?editid=xxx. Can see the information of other companies directly; Bidding-> evaluation. Bid can enter in the address bar directly:/bidding/evaluation/savescope?proposalid=1603&pricescope=100&proscore=100&chs=100. To modify the rating. There are also drop-down boxes in the MDI system that are Easyui bound to a hidden field in two parts. You can even use the browser's debugging tools to directly modify the value of the hidden field after submission. Solution: Add Validation. For example: SELECT * from Rfprfi where edited = xxx and owner = Currentuser.userid. Verify that the user has permission to read and write to this information. (Specific to the business logic one by one processing, this workload is very large.) Recommended late completion). Four. DOSSolution: You can use HttpModule to block an IP that has too high access rates. Example code See my blog: http://www.2cto.com/kf/201307/226466.html This approach is for fixed IP-initiated Dos attacks. If the attacker uses proxy IPs, you need to consider other ways. Follow-up on this point will be supplemented. Five. Transport Layer not protectedExample: The login system POST request will account, LoginName, password information is transmitted in clear text. Solution: Use HTTPS. (Payment is required). Six. Brute Force passwordThe current login and change password, there is no limit to the number of errors. Solution: Whether the new logic can be added: when the number of input errors is greater than one value per unit time, the change account will be frozen. Can be thawed by change Company's admin or send the application to sunnet after the thaw by Sunnet. Seven. Data EncryptionThe current login code is encrypted with Des. General login with the password is one-way encryption, such as MD5. For example, invoice number, the location information of pipeline, is encrypted with Des and stored in the database. Eight. Identity VerificationQuestion: The session certification is currently used. If the session is hijacked or the session is impersonating. The authentication mechanism is lost. Solution: Use multiple insurance. 1. Use form authentication: The current configuration file has joined the form authentication node, <forms loginurl= "~/account/login" timeout= "2880"/> But the code is not used. Need to re-login successfully after joining System.Web.Security.FormsAuthentication.SetAuthCookie log out after joining System.Web.Security.FormsAuthentication.SignOut, in the Basecontrol plus a layer of User.Identity.IsAuthenticated judgment can be. 2. Use membership to create the authentication with the FormsAuthentication. 3. Consider using WCF to refine the validation mechanism. 4.Passport authentication. (provided by Microsoft, charges apply.) ） Nine. Error handlingProblem: For security reasons, it should be assumed that at some point an uncaught exception will occur. Solution:1. Overriding the Controller's Onexception method:

12345

protectedoverride voidOnException(ExceptionContext filterContext) {    filterContext.ExceptionHandled = true;    this.View("").ExecuteResult(filterContext.Controller.ControllerContext); }

2. You can implement one or more exception handlers by using the HandleError feature. Especially important operations like invoice paid require finer-grained error handling 10. CAS PermissionsThere is currently no control over code access security. Solution:1. Use specific permission classes to implement standard methods: for example, you need to strictly control the file read permissions.

12345678910

FileIOPermission iopermission = newFileIOPermission(FileIOPermissionAccess.Read, "xx.txt");try{iopermission.Demand();//实现方法}catch(SecurityException ex){ //处理异常}

Or use the associated attribute: [FileIOPermission (Securityaction.demand,read = "Xx.txt")]2. The code that requires full Trust is stored in a separate assembly in the GAC. Because the code in the GAC is all running under full Trust. The way you add them can be done through the command prompt –sn or through tools. Once added, you can add references in the main program, and you need to add the AllowPartiallyTrustedCallers attribute to get access

To be a happy self.

Common security problems and solutions for ASP.