Re: Security overview
- From: Arturo Buonanni <leave_this_out_deer.chief.this.also@xxxxxxxxx>
- Date: Mon, 20 Mar 2006 10:12:35 +0100
Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.
Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be enough
for this?
Are there any other countermeasure that must be omplemented in order to
build a secure site (apart from authentication and authorization that
I give as assumptions)?
Dominick Baier [DevelopMentor] wrote:
hi,
reasons are
a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment
*not* replace input validation.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Paolo,
Thanks for your reply.
I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.
From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead
of "white lists" and being so unable to handle new script
identifiers of new harmfull code. Is that the reason?
Anyway I still don't understand why MS advise you in the online
help to validate all user input against special carachters if the
ASP.NET framework already does it. In this way they are covertly
saying that the ASP.NET protection doesn't always works.
I'm still a bit confused about this.
Paolo De Nictolis, Eng. [441410] wrote:
Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni"
<leave_this_out_deer.chief.this.also@xxxxxxxxx> wrote in message
news:Xns97899EE018350Arturo.Buonanni@xxxxxxxxxxxxxxxx
I'm a programmer new to ASP.NET and web development in general.
I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).
I'm using VWD2005 Express Ed. and I've read the online help
about security.
Now I've a doubt about one thing. The online help states that
you have to validate every user input against script exploit
and SQL injection and that's quite fair. But it also states
that ASP.NET validates every "request" against potentially
harmfull values (ie. scripts). Now, if ASP.NET doesn't allows
dangerous values in the request for pages, how can one use
scrips exploit? Why code against script expliot in every page
if dangelous values are not meant to ever reach the page?
I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.
Thanks.
.
- Follow-Ups:
- Re: Security overview
- From: Dominick Baier [DevelopMentor]
- Re: Security overview
- References:
- Re: Security overview
- From: Arturo Buonanni
- Re: Security overview
- From: Dominick Baier [DevelopMentor]
- Re: Security overview
- Prev by Date: Re: Security overview
- Next by Date: Re: Security overview
- Previous by thread: Re: Security overview
- Next by thread: Re: Security overview
- Index(es):
Relevant Pages
|
