Writing to ASP. NET programmers: security issues in websites

I have been working on the project for some time and have encountered many security problems in the program. It should also be summarized. This project is a CMS system. The system uses ASP. NET. During development, we found that Microsoft has implemented many security measures, but some new programmers do not know how to enable them. The following is a brief introduction:

1: SQL Injection

2: XSS

3: CSRF

4. File Upload

SQL Injection

Cause:

In fact, this problem exists in many websites. That is, directly concatenate SQL statements in the program. Some readers may not understand it. The following is a description of user authentication during logon:

SQL statement during verification:

select * from where user='"+txtUsername.Text+"' and pwd='"+txtPwd.Text+"'

This section describes how to query a user from a database and verify the user name and password.

It seems that there is no problem, but there is a hidden problem. Username: admin Password: admin

select * from where user='admin' and pwd='admin'

If the user and password are correct, they can be verified. If my user name is asdf 'or 1 = 1 -- password: Enter at will.

Let's look at the statement:

select * from where user=‘asdf' or 1=1 -- and pwd=''

What do you see after execution? If the program simply determines the number of returned records, this method can be verified.

If the execution statement is a SA user and the system administrator is added through xp_mongoshell, the server will be taken down.
Solution:

A.This problem is mainly caused by passing in special characters. We can filter the entered username and password into special characters.

B.You can use a stored procedure to solve this problem by passing in parameters. Note: you cannot use concatenation In the stored procedure. Otherwise, the stored procedure is the same as the stored procedure ).

XSS)

Cause:

This is also sometimes called HTML injection. Similar to SQL injection, it does not have special characters for processing. You can submit HTML tags to reconstruct the website. In fact, the validateRequest attribute is enabled on the asp.net webpage by default. All HTML tags will be verified by. NET:

 

However, if exceptions are directly thrown to the user, the user experience is poor.

Solution:

A.Set validateRequest = false in the Page instruction or configuration section to disable request verification. Then, we perform HtmlEncode on the data submitted by the user. This problem will not occur after encoding. ASP. NET encoding method: Server. htmlEncode (string )).

B.The second method is to filter out special characters. This method is not recommended. If you want to enter a smaller number, it will also be filtered out.

CSRF Cross-Site Request Forgery)

Cause: I personally think that csrf is convenient in the case of Ajax, because it can be operated by your authenticated user if you do not know it, this is also known as browser hijacking. If you have passed the verification of a website, you will perform operations on the website as your role. For example, if you are an administrator, you can add other users to the Management Group, however, if someone constructs a link to add an administrator and is clicked by the Administrator, the corresponding operation will also be performed.

Solution:

Add a verification code or Session token ASP when modifying information. NET provides an automatic defense method, that is, using the page attribute ViewStateUserKey. set its value in the Page_Init method: this. viewStateUserKey = Session. sessionID ).

File Upload

Cause:

If your website uses an online editor, such as FCKEditor and eWeb, and you have not completed file upload, the website will be quickly tampered with after the website goes online.

Solution:

Add the Session flag of whether the file can be uploaded when the user logs on. In fact, Fckeditor has been written. Directly add the comment section in the verification function CheckAuthentication ()

return ( Session[ "IsAuthorized" ] != null && (bool)Session[ "IsAuthorized" ] == true );

Comment out. Log in successfully.

Session[“IsAuthorized”] = true;

You can.

If the website does not browse files uploaded to the server, delete the browser directory in fckeditor "editor" filemanager.

1. Extension of asynchronous Action for ASP. NET MVC
2. Add shortcut menu for ASP. NET Control
3. Analysis on ASP. NET global Exception Handling