JustPaste.it

Microsoft .NET Framework Secure Coding Guidelines

Since its unveiling in 2002, the Microsoft .NET Framework has solidified its place as one of the most popular and robust frameworks available for web application development.

Since its unveiling in 2002, the Microsoft .NET Framework has solidified its place as one of the most popular and robust frameworks available for web application development.

 

A report published by SANS in September 2009 entitled “The Top Cyber Security Risks” found that web application attacks constituted more than 60% of the total attacks observed on the Internet. SQL injection, cross-site scripting (XSS) and file inclusion were the three most popular techniques used in successful attacks. All three are the direct result of lax data validation and insecure code.

The easiest and most effective way to implement data validation on forms within your web application is to use the validator controls provided by the .NET Framework. Validator controls provide validation of the form data sent in a POST request on the server-side and the entered data on the client-side using JavaScript.

There are six controls included within the framework: RequireFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, and CustomValidator.

Parameterised SQL queries are a secure alternative to concatenating chunks of SQL syntax with user input and prevent SQL injections. Placeholders are used to represent where user input will be substituted into a query, and the user input is validated before substitution occurs. Using parameterised queries also offers some performance benefit, as strings are no longer being concatenated, which can be computationally intensive.

The Microsoft Anti-XSS Library is an encoding library designed to help developers protect against cross-site scripting attacks. It provides a white-listing approach that defines a set of valid or allowable characters and encodes anything outside that set.

Request validation is a feature enabled by default on the .NET Framework that identifies suspicious strings of user input and halts the execution of a page by throwing an exception. It will not, however, prevent all possible attacks and must not be relied upon.

It is important to have defence in depth, as it is possible that one or more aspects of your information security may be circumvented or broken at any time.

License: Public domain