A report published by SANS in September 2009 entitled “The Top Cyber Security Risks” found that web application attacks constituted more than 60% of the total attacks observed on the Internet. SQL injection, cross-site scripting (XSS) and file inclusion were the three most popular techniques used in successful attacks. All three are the direct result of lax data validation and insecure code.
There are six controls included within the framework: RequireFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, and CustomValidator.
Parameterised SQL queries are a secure alternative to concatenating chunks of SQL syntax with user input and prevent SQL injections. Placeholders are used to represent where user input will be substituted into a query, and the user input is validated before substitution occurs. Using parameterised queries also offers some performance benefit, as strings are no longer being concatenated, which can be computationally intensive.
The Microsoft Anti-XSS Library is an encoding library designed to help developers protect against cross-site scripting attacks. It provides a white-listing approach that defines a set of valid or allowable characters and encodes anything outside that set.
Request validation is a feature enabled by default on the .NET Framework that identifies suspicious strings of user input and halts the execution of a page by throwing an exception. It will not, however, prevent all possible attacks and must not be relied upon.
It is important to have defence in depth, as it is possible that one or more aspects of your information security may be circumvented or broken at any time.