Google
AspAlliance.com Web
AspAlliance
Register
Edit My Profile
Author List
Write for Us
About AspAlliance
Contact Us
Privacy Policy
Link To Us
Advertise

Subscribe
Free Newsletter
Newsletter Archive
RSS Syndication

.NET Tutorials
Learn .NET
Learn WCF
Learn WPF
Learn ASP.NET
Learn AJAX
Learn Silverlight
Learn Visual Studio
Learn ADO.NET
Learn LINQ
Learn C# (CSharp)
Learn VB.NET
Learn Web Services
Learn Controls
Learn BizTalk
Learn SharePoint
Learn Mobile
Learn SQL
Learn SQL Reporting
Learn Windows Forms
Learn XML
Learn Crystal Reports
Learn FarPoint
Learn DevExpress
Examples
ASP.NET 2.0 Examples

ASP Tutorials
Learn ASP
Learn VBScript
Learn JScript
Learn SQL
Learn XML

Software Resources
Shopping Cart Ecommerce
Charts and Dashboards

Other Resources
Learn Java
Learn Oracle
Opinion / Editorial
Crystal Reports Alliance
WPF Resources
AJAX Resources
Silverlight Resources

Free Tools
Cache Manager
SimpleCMS

Reviews
Book Reviews
Product Reviews
Expert Advice

Books
ASP.NET Developer's Cookbook
Sample Chapters
Book Reviews

Community
Regular Expressions

Print This Article Print  Add To Favorites Add To Favorites    Email This Article To A Friend Email To Friend  Rate This Article Rate This Article   
Securing ASP.NET Applications
page 3 of 5
by Gil Shabat
Feedback
Average Rating: 
Views (Total / Last 10 Days): 31085/ 69
Common ASP.NET Security Flaws

There is a wide array of attacks that ASP.NET web applications need to protect against but most security holes are due to flaws in the following:

Authentication

Making it easy for attackers to reveal users credentials, or worse to circumvent application’s authentication all together.

 

Possible deficiencies: lack of password policy (strong passwords, expiration date etc), passing internal messages back to the browser, using dynamic SQL on the login page (SQL injection), using cookies and other insecure means to store users’ credentials, and passing user names and passwords in clear text .

 

Possible attacks: Network eavesdropping, brute force & dictionary attacks, SQL injection (on login page), Cookie replay attacks and credential theft.

 

Authorization

Allowing logged-in users to perform actions without authorization verification (i.e. vertical & horizontal privilege escalation).

 

Possible deficiencies: inconsistent checks for user authorization for every user’s request and web page, lack of data validation and trusting data submitted by users (i.e. cookies, hidden fields, URL parameters etc).

 

Possible attacks: privilege escalation attacks (horizontal and vertical), Disclosure of confidential data and Data tampering attacks.

 

Data Validation

Trusting data submitted by the user and acting upon it.

 

Possible deficiencies: lack of consistent and strict data validation throughout the web, and failing to encode data sent to the browser.

 

Common Attacks: Cross site-scripting (XSS), SQL injection, data tampering (query string, form fields, cookies, and HTTP headers), embedded malicious characters and HTTP response splitting.

 

Application Configuration

Using default configuration on the application and hosted server.

 

Possible deficiencies: granting the application more permissions than it actually needs, failing to properly secure resources (operating system, database etc) and passing internal application information back to the browser (internal messages, exceptions and trace information).

 

Common Attacks: unauthorized access to administrator functionality, unauthorized access to configuration information, retrieval of clear text configuration information and unauthorized access to data stores.
View Entire Article

User Comments

Title: Good Job   
Name: Swapon
Date: 2009-12-01 11:45:31 PM
Comment:
Really nice article.Well done.But it would be nice if you give the complete example with code.
Title: Good work   
Name: phani
Date: 2009-05-09 6:42:43 AM
Comment:
Hi,
Its really nice article but it would have been more effective if you have explained the measures to be taken elaboratively.
Title: Nice work!   
Name: Chama
Date: 2009-05-01 1:11:53 PM
Comment:
I love this article. Nice work dude!
Title: s   
Name: Ajay
Date: 2009-04-29 12:23:46 AM
Comment:
Excellent stuff!

Product Spotlight
Product Spotlight 





Community Advice: ASP | SQL | XML | Regular Expressions | Windows


©Copyright 1998-2024 ASPAlliance.com  |  Page Processed at 2024-04-25 3:49:13 AM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search