Hacking the Code: ASP.NET Web Application Security

Chapter 7: Developing Secure ASP.NET Applications

Introduction

Although much of your security effort is focused on the mechanics of your application and code that runs on the server, you should also consider the HTML content you send to client browsers. Throughout this book we have covered topics such as managing and authenticating users, using encryption, accessing data, and filtering input. But even after following all the recommendations in this book, poor HTML coding practices can provide attackers with sensitive information and even put your users at risk. Although this might not be a big issue for some web sites, it is a serious issue for large sites with substantial community involvement such as Yahoo! or eBay.

While you have no control over the user s browser and have little influence over the decisions they make, the content you produce can limit user exposure to these threats.

Understanding the Threats

Some of the threats covered in this chapter are:

  • Cross site scripting (XXS) Injecting HTML or script commands, causing the Web application to attack other users

  • Cross- site request forgery (CSRF) Exploiting a site s trust of a user to perform a transaction in behalf of the user

  • Information leakage Intentionally sending invalid input to produce error messages with information that may facilitate an attack

  • Social engineering Using a hacker s social skills to extract information from or otherwise manipulate employees or other trusted individuals at a target organization.

  • Repudiation The ability for a user to deny having taken an...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Online Communities
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.