Do not rely solely on client-side validation
The attacker can bypass the client-side validation by
Injection keywords. Make sure to revalidate the user inputs at the server-side.
I know is a lot of work, but for the sake of security we have to do it.
add the comment again. Click here to learn
Replacing single quotation mark (')
with two single quotation mark ('')
I saw some web site mentioning that SQL Injection
vulnerability can be prevented by simply replacing single quotation mark with
double quotation mark. That not always the case, the attackers still able to
inject the SQL table with malicious script or HTML markup without the single
quotation mark. Malicious users can bypass the filter by using different
character encoding, please refer to "How To: Prevent
Cross-Site Scripting in ASP.NET", table 1.
There are several ways to display information from an
ASP.NET program. We can display information in the page using an embedded code
block. <% ... %> or using <%=
… %> construction. Another way is to use data-binding syntax <%# … %> to bind control property values to data and
specify values for retrieving, updating, deleting, and inserting data. Make
sure to apply either the HttpUtility.HtmlEncode or Server.HtmlEncode methods to encode the form data and other
client request before displaying it in the web page. This will help prevent
possible Cross-Site Scripting injection attacks. With ASP.NET 4.0, the new <%: … %> code nugget-syntax will automatically HTML
encode the output before it is rendered.
I'm using stored procedure in my web application, are stored
procedures immune to SQL Injection attacks? The answer is "it
depends". If we are using dynamic SQL statements within stored procedure
then it might open to SQL Injection attacks. Shown below is the stored
procedure with dynamic SQL statement in it.
Update the comment field with the value ha ha ha';--. The
"Update using inline query" and "Update using SP – Dynamic
Query" button will update every comment field in the table with the
specified value. On the other hand, the "Update using SP" button will
only update the current record.
Request validation (ASP.NET)
Please note that the ValidateRequest
attribute in the @page directive is set to false on purpose to emulate the
Classic ASP environment and prevent the .NET framework from throwing the error
("A potentially dangerous Request.Form value was detected from the
client"). If you happen to come across this error message in your
application, rethink the business logic or page architecture before disabling
the request validation.
Scripting Protection to ASP.NET 1.0
2.0 Security Best Practices - Must Read Article on MSDN
How To: Prevent
Cross-Site Scripting in ASP.NET
Practices: ASP.NET Security Practices at a Glance
Injection General Guidance
Injection Attacks Before They Stop You