OWASP top 10 Security Issue
Injection
SQLAll statements are called in the form of parameters.SQLStatement
Verify all input: client Verification+Server segment verification
Database Operation authorization
For each inputFieldTo verify whether the string can be entered.
Cross-site scripting (XSS)
Input parameters,Use Microsoft'sAnti-XSSComponent Filtering
Output to interfaceHtmlElement'S string,Use Microsoft'sAnti-XSSComponent Filtering
Sre (Security runtime engine) httpmoduleAutomatic Mode
Broken authentication and session management
Unknow
Insecure direct object references
Business Object table: Technical primary keyID(Int)+External ReferenceID (guid)
Application Layer:Add someHashtable ==> guid --> intGlobal cache of Mappings
Cross-Site Request Forgery (csrf)
Use Microsoft'sAnti-csrfFilter each componentPostRequest
Security misconfiguration (new)
Web. configCommand Line Encryption
Insecure Cryptographic storage
Symmetric encryption works with randomPasswordsaltParameters
Failure to restrict URL access
Use. NetProvidedMembershipproviderComponents to achieveURLProtection
CooperationWeb. configInAllow/denyKeywords
Or
For eachAspxPage writeBasepageTo determine the permissions of each page
Insufficient transport layer protection
Verification page:SSL,HTTPOnly, cookie
Unvalidatedredirects and forwards (new)
For eachURLVerify validity