Writing to ASP. NET programmers: security issues in websites

You have been working on the project for a while.ProgramThere are also many security issues. It should also be summarized. This project is a CMS system. The system uses ASP. NET. During development, we found that Microsoft has implemented many security measures, but some new programmers do not know how to enable them. The following is a brief introduction:

1: SQL Injection

2: XSS

3: csrf

4. File Upload

SQL Injection

Cause: in fact, this problem exists in many websites. That is, directly concatenate SQL statements in the program. Some readers may not understand it. The following is a description of user authentication during logon:

SQL statement during verification:

Logon verification SQL statement (original)
Select   *   From   Where   User   =   ' "+ Txtusername. Text +" '   And PWD =   ' "+ Txtpwd. Text +" '

 

This section describes how to query a user from a database and verify the user name and password.

It seems that there is no problem, but there is a hidden problem. Username: Admin Password: Admin

Logon verification SQL statement (true)
Select   *   From   Where   User   =   ' Admin '   And PWD =   ' Admin '

 

If the user and password are correct, they can be verified. If my user name is ASDF 'or 1 = 1 -- password: Enter at will.

Let's look at the statement:

Logon verification SQL statement (injection)
Select   *   From   Where   User   =   ' ASDF '   Or   1   =   1   -- And Pwd =''

 

What do you see after execution? If the program simply determines the number of returned records, this method can be verified.

If the execution statement is a SA user and the system administrator is added through xp_mongoshell, the server will be taken down.

Solution:

A.This problem is mainly caused by passing in special characters. We can filter the entered username and password into special characters.

B.This problem can be solved by passing in parameters in a stored procedure (Note: splicing is not allowed in the stored procedure, otherwise it is the same as storing it without any data ).

XSS (Cross-Site Scripting)

Cause: This is sometimes called HTML injection, which is similar to the SQL Injection principle and does not contain special characters for processing. You can submit HTML tags to reconstruct the website. In fact, the validaterequest attribute is enabled in the ASP. NET webpage by default. All HTML tags will be verified by. Net:

 

However, if exceptions are directly thrown to the user, the user experience is poor.

Solution:

A.By setting validaterequest = "false" in the page instruction or configuration section to disable request verification, we then htmlencode the data submitted by the user. This problem will not occur after encoding (Asp. net encoding method: Server. htmlencode (string )).

B.The second method is to filter out special characters. This method is not recommended. If you want to enter a smaller sign (<), it will also be filtered out.

Csrf (Cross-Site Request Forgery)

Cause: I personally think that csrf is convenient in the case of Ajax, because it can be operated by your authenticated user if you do not know it, this is also known as browser hijacking. If you have passed the verification of a website, you will perform operations on the website as your role. For example, if you are an administrator, you can add other users to the Management Group, however, if someone constructs a link to add an administrator and is clicked by the Administrator, the corresponding operation will also be performed.

Solution:

Add a verification code or session token when modifying the information (ASP. NET provides an automatic defense method, that is, use the page attribute viewstateuserkey. Set the value in the page_init method: This. viewstateuserkey = session. sessionid ).

File Upload

Cause: If your website uses an online editor, such as FCKeditor and eweb, and you have not completed file upload, the website will be quickly tampered with after the website goes online.

Solution:

Add the session flag of whether the file can be uploaded when the user logs on. In fact, FCKeditor has been written. Directly add the comment section in the verification function checkauthentication ()

Checkauthentication ()
1 Return (Session [ " Isauthorized " ] ! =   Null   && (Bool) session [ " Isauthorized " ] =   True );

 

Comment out. Log in successfully.

Successful Login JS Code
1Session ["isauthorized"]= True;

 

You can.

If the website does not browse files uploaded to the server, delete the browser directory in FCKeditor-Editor-filemanager.