.NET Security Cheatsheet
- 1 DRAFT CHEAT SHEET - WORK IN PROGRESS
- 2 Introduction
- 3 .NET Framework Guidance
- 4 ASP.NET Web Forms Guidance
- 5 ASP.NET MVC Guidance
- 6 XAML Guidance
- 7 Windows Forms Guidance
- 8 WCF Guidance
- 9 Authors and Primary Editors
- 10 Other Cheatsheets
DRAFT CHEAT SHEET - WORK IN PROGRESS
This page intends to provide quick basic .NET security tips for developers.
The .NET Framework
The .NET Framework is Microsoft's principal platform for line of business development. It is the supporting API for ASP.NET, Windows Desktop applications, Windows Communication Foundation services, SharePoint, Visual Studio Tools for Office and other technologies.
Updating the Framework
The .NET Framework is kept up-to-date by Microsoft with the Windows Update service. Developers do not normally need to run seperate updates to the Framework. Windows update can be accessed at http://windowsupdate.microsoft.com/ or from the Windows Update program on a Windows computer.
.NET Framework Guidance
The .NET Framework is the set of APIs that support an advanced type system, data, graphics, network, file handling and most of the rest of what is needed to write line of business apps in the Microsoft ecosystem. It is a nearly ubiquitous library that is strong named and versioned at the assembly level.
- Use Parameterized SQL commands for all data access, without exception.
- Do not use SqlCommand with a string parameter made up of a concatenated SQL String.
- Whitelist allowable values coming from the user. Use enums, TryParse or lookup values to assure that the data coming from the user is as expected.
- Apply the principle of least privilege when setting up the Database User in your database of choice. The database user should only be able to access items that make sense for the use case.
- Always check the MD5 hashes of the .NET Framework assemblies to prevent the possibility of rootkits in the framework. Altered assemblies are possible and simple to produce. Checking the MD5 hashes will prevent using altered assemblies on a server or client machine.
ASP.NET Web Forms Guidance
ASP.NET Web Forms is the original browser-based application development API for the .NET framework, and is still the most common line of business platform the web application development.
Cross site scripting
- Do not disable validateRequest in the web.config or the page setup. This value enables the AntiXSS library in ASP.NET and should be left intact to present cross site scripting.
- Whitelist allowable values anytime user input is accepted. The regex namespace is particularly useful for checking to make sure an email address or URI is as expected.
- Always encode output to the browser using Server.HtmlEncode.
Authorization and authentication
- Don't trust the URI of the request for persistence of the session or authorization. It can be easily faked.
- Reduce the session time from the default of 20 minutes. If slidingExpiration is used this timeout starts after the last request, so active users won't be affected.
- If you don't require SSL, disable slidingExpiration.
ASP.NET MVC Guidance
Windows Forms Guidance
Authors and Primary Editors
Troy Hunt - troyhunt [at] hotmail.com
Bill Sempf - bill [at] pointweb.net
Patrick Leclerc - patrick.leclerc [at] owasp.org
Jerry Hoff - jerry.hoff [at] owasp.org
OWASP Cheat Sheets Project Homepage