Security of ASP. net mvc applications, asp. netmvc

Security of ASP. net mvc applications, asp. netmvc

Protecting the security of Web applications seems time-consuming. This must-do task cannot bring too much fun, but in order to avoid embarrassing security vulnerabilities, program security is usually not required.

1. ASP. NET Web Forms developers

(1) Because ASP. net mvc is not like ASP. NET Web Forms provides a lot of automatic protection mechanisms to protect pages from malicious user attacks. Therefore, read this blog to understand this problem. A more clear statement is: ASP. NET Web Forms is designed to protect applications from attacks. For example:

1) The server component encodes the displayed values and features in HTML to help prevent XSS attacks.

2) encrypt and verify the attempted status to help prevent tampering with the submitted form.

3) request verification (% @ page validaterequest = "true" %) Intercepts seemingly malicious data and warns (this is the protection enabled by the MVC framework by default ).

4) event verification helps organizations inject attacks and submit invalid values.

(2) Turning to ASP. net mvc means that the processing of these problems will fall on the shoulders of programmers-for some people, it may cause panic, and for others it may be a good thing.

(3) If we think that the Framework "should handle this kind of thing", there is indeed a framework that can handle this kind of thing, and it is well handled. It is asp.net web forms. However, the cost is the loss of some control over the abstraction layer introduced by asp.net web froms.

(4) ASP. net mvc provides more control over tags, which means that programmers have to take more responsibilities. It should be clear that ASP. net mvc provides many built-in protection mechanisms (for example, HTML encoding and request verification by default using the HTML auxiliary methods and Razor syntax ).

2. ASP. net mvc developers

(1) The main excuse for applications with security risks is that developers lack sufficient information or understanding. We want to change this situation, but we also realize that there is no perfect person, there will always be mistakes. In view of this, please remember the following tips.

1) Never trust any data provided by users

2) When rendering data imported as user input, please encode it in HTML (if the data is displayed as feature value, HTML feature encoding should be performed on it)

3) consider the parts of the website that allow anonymous access and those parts that require authenticated access.

4) do not try to purify the user's HTML input. Otherwise, the Operation will fail.

5) Use HTTP-only cookies when you do not need to access cookies through client scripts.

6) we strongly recommend that you use the AntiXss Library (www.codeplex.com/AntiXSS ).

(2) At the same time, application construction is based on the assumption that only a specific user can perform certain operations, and other users cannot perform these operations.

Note: The following sections will explain how to use the security features in ASP. net mvc to implement the application features such as authorization, and then introduce how to deal with common security threats.