How to protect the ASP.net program

Asp.net| Program

From a security point of view, compared to its own previous version, ASP. NET has shown great improvement. With this new development platform, programmers can easily design user input validation, while this platform adds a lot of features, such as locking program functions. Besides. NET uptime can support garbage collection and secure string functionality, which can prevent external attacks. A fit and secure. NET programs can not only prevent external attacks, but also minimize the amount of garbage in all forms.

However, no matter how perfect the function of asp.net, it is not perfect on the security issue. Security analyst H.d Moore, the author of three fairly major security holes (three major safety breaches) at the ASP.net section of the April CanSecWest Symposium, said these powerful features would be worthless , unless developers often use them. Moore recommends using the following simple security tips to protect your asp.net program.

Use some simple settings to control

As a general rule, do not place any information on the network casually, as this information will be a clue to hacker attacks. Except for some file extensions that are mapped to the ISAPI handler, such as:. aspx,. cs, and. vb. Conversely, files with. txt,. csv, and. XML will not protect themselves, and anyone who accesses the site can access the files.

Be sure to remove the functionality that supports tracing and debugging before releasing any new program, and note that the customerrors label in the Web.config file is not set to off. These security measures help prevent information from being exposed to the program, especially when the program is wrong, including file name, path, and possible source code.

Also, be sure to clear the relevant path to the program before you publish the new program. Make sure to remove the temporary files from the Visual Studio project and program path. The. sln and. Slo files that are not mapped to the ISAPI access filter are likely to be seen from the Internet because some people can guess the name of the program, which could lead to a huge attack.

Avoid using cookieless meeting management

Moore noted in the commentary that ASP. One of the notable drawbacks of net is the "hijack" (robbery) attack that occurs in the program using the cookie-less Session management (cookie-less Conference Management) scenario. This scheme embeds the meeting identifier into each URL, allowing the server to identify each customer. This could be a problem: When a server using this feature receives a meeting identifier that is not recognized but is legitimate, it generates a meeting that can be attended, so that a "smart" hacker can take advantage of this flaw by posing as legitimate users, legitimate meeting identifiers, and access to the contents of the system.

This is a sinister attack, Moore said, because the URL does not feel the user is suspicious, only the conference ID can be forged. He advises developers to avoid using cookieless meeting management as much as possible until Microsoft removes the flaw.

"Hide in the Sand box (sandbox)."

Sometimes. NET runtime management environment can also be attacked as buffer overflow, Moore points out, this is due to problems such as using the StateServer class, and the arbitrary invocation of these poorly managed classes sometimes provides a clue to the hacker's attack.

Moore says that developers should be as limited as possible to use. NET manages the "sandbox" API function because there is a significant risk of invoking any poorly managed classes. However, sometimes you can also use some special features, such as the techniques shown below.

validation, validation, validation

Despite the introduction of many outstanding features, some traditional features are deeply applied, such as user input validation. Developers should take full advantage of the powerful Validator (validator) feature. This feature can be extended from System.Web.UI.Validator. If you've never heard of it before. NET ' s validators, you can read the content yourself.

Using the Data matching feature

When using a numeric field in a database program, be sure to match the variable with the appropriate data type before using the variable. Doing so prevents an SQL internal attack from being generated, especially if a user enters some non-numeric variable into the database. More importantly, this can generate an alert, or write to the log, which is very much like a small illegal intrusion detection system.

Further measures

If you want to install a network program in the operating system, you'd better use the settings in the Web.config file to run the program so that you can ensure different user authentication. In addition, you can use the Network Service Manager to set the trust level of the program, which can improve the security of the program.