Leverages ASP.net's built-in capabilities to protect against web attacks

ASP.net developers should always adhere to the practice

If you are reading this article, you may not need to instill in you the fact that security in the Web application is becoming more and more important. What you need may be some practical advice on how to implement security in an ASP.net application. The bad news is that there is no development platform-including ASP. NET-to ensure that once the platform is adopted, you will be able to write code that is hundred percent secure. If anyone says so, paramilitary is lying. The good news is that, in the case of ASP.net, asp.net, especially version 1.1 and upcoming release 2.0, integrates some of the built-in defensive barriers that are easy to use.

Applying all of these features alone is not enough to protect WEB applications from any possible and predictable attack. However, if combined with other defensive techniques and security policies, the built-in ASP.net feature will make a powerful toolkit that helps ensure that applications run in a secure environment.

Web security is the sum of various factors, the result of a strategy that is far more than a single application, involving database management, network configuration, and social engineering and phishing.

The purpose of this article is to illustrate the practice that asp.net developers should always adhere to in order to maintain a reasonable level of safety standards. This is the most important aspect of security: stay vigilant and never completely relax, making it increasingly difficult for the bad guys to launch a hacker attack.

Let's look at what ASP.net offers to simplify the work.

Back to the top of the page

The source of the threat

In table 1, I summarize the most common types of web attacks and the flaws in the application that could lead to these attacks.

Possible initiators of attack attacks

Cross-site scripting (XSS)

echo back to the page's non-trusted user input

SQL Injection

Concatenates user input to form SQL commands

Session Hijacking

Session ID guessing and theft of conversation IDs cookies

One click

Undetected HTTP posting via script

hidden field Tampering

Unchecked (and trusted) hidden fields are populated with sensitive data

Table 1. Common web attacks

What are the key facts that appear in the list? In my opinion, at least the following three points:

• Whenever you insert any user input into your browser's markup, you potentially expose yourself to code injection attacks (any SQL injection and XSS variants).

• Database access must be implemented in a secure manner, that is, to use as few permissions as possible for the database and to divide the responsibilities of individual users through roles.

• Never send sensitive data over the network (let alone plaintext), and you must store sensitive data on the server in a secure manner.