Login or e-mail Password   

Microsoft .NET Framework Secure Coding Guidelines

Since its unveiling in 2002, the Microsoft .NET Framework has solidified its place as one of the most popular and robust frameworks available for web application development.
Views: 1.912 Created 02/23/2010

A report published by SANS in September 2009 entitled “The Top Cyber Security Risks” found that web application attacks constituted more than 60% of the total attacks observed on the Internet. SQL injection, cross-site scripting (XSS) and file inclusion were the three most popular techniques used in successful attacks. All three are the direct result of lax data validation and insecure code.

The easiest and most effective way to implement data validation on forms within your web application is to use the validator controls provided by the .NET Framework. Validator controls provide validation of the form data sent in a POST request on the server-side and the entered data on the client-side using JavaScript.

There are six controls included within the framework: RequireFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, and CustomValidator.

Parameterised SQL queries are a secure alternative to concatenating chunks of SQL syntax with user input and prevent SQL injections. Placeholders are used to represent where user input will be substituted into a query, and the user input is validated before substitution occurs. Using parameterised queries also offers some performance benefit, as strings are no longer being concatenated, which can be computationally intensive.

The Microsoft Anti-XSS Library is an encoding library designed to help developers protect against cross-site scripting attacks. It provides a white-listing approach that defines a set of valid or allowable characters and encodes anything outside that set.

Request validation is a feature enabled by default on the .NET Framework that identifies suspicious strings of user input and halts the execution of a page by throwing an exception. It will not, however, prevent all possible attacks and must not be relied upon.

It is important to have defence in depth, as it is possible that one or more aspects of your information security may be circumvented or broken at any time.

Similar articles

comments: 0 | views: 13614
comments: 0 | views: 9872
comments: 1 | views: 7916
comments: 4 | views: 17773
comments: 0 | views: 3094
comments: 0 | views: 4026
comments: 1 | views: 4462
comments: 0 | views: 2579

No messages

Add your opinion
You must be logged in to write a comment. If you're not a registered member, please register. It takes only few seconds, and you get an access to additional functions .

Users online: 120
Registered: 107.588
Comments: 1.501
Articles: 7.251
© 2005-2018 EIOBA group.