Asp.net MVC security [note], asp. netmvc

Asp.net MVC security [note], asp. netmvc

1. Cross-site scripting (XSS)

1.1 Introduction

1.1.1 passive injection: Use html, javascript, and other information to forge links, use submitted information for images, and transfer pages

1.1.2 active injection, hackers take the initiative to participate in attacks, and will not be fooled by unlucky users

 

1.2 defense

1.2.1 HTML Encoding

Html. Encode

1.2.2 HTML attribute Encoding

Html. AttributeEncode

1.2.3 url Encoding

URL. Encode

1.2.4 java script Encoding

Ajax. JavaScriptStringEncode

1.2.5 CSS Encoding

 

1.3 Use the NuGet package of AntiXSS

Install-package AntiXSS

1.3.1 AntiXss uses a whitelist, while asp.net uses a blacklist by default. AntiXSS is more secure than ASP. NET.

1.3.2 AntiXss focuses on security vulnerabilities, and asp.net focuses on HTML page not being damaged

1.3.3 use

@ Using Microsoft. Security. Application

@ Encoder. JavaScriptEncode ();

 

2. Request Forgery (CSPF)

2.1 Introduction

Requests from banks and other institutions (obfuscation agents) are forged through image links on the website. For example, if many banks use get requests, the URLs are displayed in the address bar, this gives hackers the opportunity to transfer money and steal money by clicking on anything that interests you and forging the same request to the bank.

2.2 token Verification

By verifying whether the user has submitted site data for defense purposes, it can be achieved by hiding elements in Html.

MVC

@ Html. AntiForgeryToken (), an encryption value is output as a hidden element.

When submitting a form, ActionFilter verifies that the two values match:

[ValidateAntiForgertToken]

Public ActionResult Register (..)

2.3-power get request

Only using post requests to modify data or content can effectively defend against all forgery attacks.

2.3 HttpReferrer Verification

ActionFilter to prevent CSRF Attacks:

[Csharp]View plaincopyprint?

1. Public class IsPostedFromThisSiteAttribute: AuthorizeAttribute
2. {
3. Public override void OnAuthorize (AuthorizationContext filterContext)
4. {
5. If (filterContext. HttpContext! = Null)
6. {
7. If (filterContext. HttpContext. Request. UrlReferrer = null)
8. Throw new System. Web. HttpException ("Invalid submission ");
9. If (filterContext. HttpContext. Request. UrlReferrer. Host! =
10. "Mysite.com ")
11. Throw new System. Web. HttpException
12. ("This form wasn' t submitted from this site! ");
13. }
14. }
15. }

 

Then add the custom filter on Register.

 

[Csharp]View plaincopyprint?

1. [IsPostedFromThisSite]
2. Public ActionResult Register (...)

 

 

3. cookie Theft

3.1 Introduction

Use XSS to obtain the user cookie and use the user Id to log on to the target website.

3.2 HttpOnly Blocking

Set in web. config

<HttpCookies httpOnlyCookies = "true"...>

3.3 set httponly separately

Response. Cookies ["MyCookie"]. HttpOnly = true;

 

4. Submit again

4.1 Introduction

MVC naming constraints map input elements to model attributes. Malicious users can add other attributes to query strings or submitted forms (attributes that exist in the model but are not authorized to operate) to intervene in Form submission. You can even get permissions for other accounts.

4.2 Use the bind feature to defend against repeated submission. The Product model shown below can only map the name and age attributes. You do not have permission to operate other properties.

[Bind (Include = "Name", "Age")]

Pulbic class Product {

......

}

4.3 After UpdateModel is used, TryUpdataModel's overloaded version accepts the bind list.

UpdateModel (product, "product", new string [] {"Name", "Age "}")

4.4 avoid direct binding attempts

Use view model.

How can aspnet improve project efficiency and security?

1. Do not use WebForms development in MS because it has low performance. We recommend that you use the new framework ASP. net mvc.
2. Make full use of the cache technology, such as Memcached, to reduce the number of database accesses
3. Compress pages to reduce the number of javascript and css files
4. security means releasing compiled dll. Do not write the program logic at the page level. Using Stored procedures not only improves project efficiency but also reduces the risk of SQL injection. If you have to use SQL statements, we recommend that you use the following format:
String SQL = "select id, username, password from userinfo where username = @ username and password = @ password ";
Reference: www.mikel.cn /? S = asp.net + % E6 % 80% A7 % E8 % 83% BD

Asp net mvc Workflow

I have drawn such a picture, which may help you