This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "CRV2 FrameworkSpecIssuesdotNetMVC"
Line 2: | Line 2: | ||
== Protection against SQL injections == | == Protection against SQL injections == | ||
− | The best solution | + | The best solution to avoid this OWASP #1 in the top ten list of security vulnerabilities is to use Parameterized queries .Equivalent to these solution, the use the use of Stored procedures is also a form of parameterized queries. |
=== Use an ORM(Object Relational Mapper) === | === Use an ORM(Object Relational Mapper) === | ||
− | ORM’s are a real blessing regarding protection against SQL injection. By default, the use of ORM will automatically send all SQL request as parameterized queries, however, it’s important to keep in mind that this | + | ORM’s are a real blessing regarding protection against SQL injection. By default, the use of ORM will automatically send all SQL request as parameterized queries, however, it’s important to keep in mind that this form of security can be easily bypassed if the developer uses unparameterized HQL or Entity SQL queries dynamically with string concatenations |
== Request Validation feature against XSS attacks == | == Request Validation feature against XSS attacks == | ||
ASP.NET comes with a built-in request validation feature. This feature was added in the ASP.NET version 1.1, in addition this feature is enabled by default. Once a malformed request containing any HTML tags in send, ASP.NET will simply display an error as shown in the following figure | ASP.NET comes with a built-in request validation feature. This feature was added in the ASP.NET version 1.1, in addition this feature is enabled by default. Once a malformed request containing any HTML tags in send, ASP.NET will simply display an error as shown in the following figure | ||
+ | |||
Unfortunately, this inherent feature can also create issues when legitimate requests are sent by users who need to submit data containing certain kind of characters such as brackets. | Unfortunately, this inherent feature can also create issues when legitimate requests are sent by users who need to submit data containing certain kind of characters such as brackets. | ||
Another disadvantage is that this does not avoid any attacks originated from other application or if stored in the database, neither will offer any protection when input is injected in HTML attributes. | Another disadvantage is that this does not avoid any attacks originated from other application or if stored in the database, neither will offer any protection when input is injected in HTML attributes. | ||
Line 33: | Line 34: | ||
); | ); | ||
− | Limitations | + | ==== Limitations ==== |
− | + | *Users must accept cookies otherwise the [ValidateAntiForgeryToken] will deny their form’s posts | |
− | + | *Works only with POST request | |
− | + | *Can be bypassed if the application has XSS vulnerabilities since it will be possible to read _RequestVerificationToken value |
Revision as of 03:44, 29 June 2013
ASP.NET Security –MVC
Protection against SQL injections
The best solution to avoid this OWASP #1 in the top ten list of security vulnerabilities is to use Parameterized queries .Equivalent to these solution, the use the use of Stored procedures is also a form of parameterized queries.
Use an ORM(Object Relational Mapper)
ORM’s are a real blessing regarding protection against SQL injection. By default, the use of ORM will automatically send all SQL request as parameterized queries, however, it’s important to keep in mind that this form of security can be easily bypassed if the developer uses unparameterized HQL or Entity SQL queries dynamically with string concatenations
Request Validation feature against XSS attacks
ASP.NET comes with a built-in request validation feature. This feature was added in the ASP.NET version 1.1, in addition this feature is enabled by default. Once a malformed request containing any HTML tags in send, ASP.NET will simply display an error as shown in the following figure
Unfortunately, this inherent feature can also create issues when legitimate requests are sent by users who need to submit data containing certain kind of characters such as brackets. Another disadvantage is that this does not avoid any attacks originated from other application or if stored in the database, neither will offer any protection when input is injected in HTML attributes.
MVC’s CSFR anti-forgery system
This is one handy feature found in .NET which contra rest the #8 owasp top 10 security issue.
Use Anti-forgery Helpers
There are 2 methods which a developer can use to avoid CSFR attacks, these are Html.AntiForgeryToken() and the filter [ValidateAntiForgeryToken]. To use these features, call the AntiForgeryToken method from within your form, and add the ValidateAntiForgeryTokenAttribute to the action method you want to protect. A combination between the Html.AntiForgeryToken() and Ajax.ActionLink is a recommended way to go in order to make sure that no attacker can send a false deletion request
$.ajaxPrefilter( function (options, localOptions, jqXHR) { if (options.type !== "GET") { var token = GetAntiForgeryToken(); if (token !== null) { if (options.data.indexOf("X-Requested-With") === -1) { options.data = "X-Requested-With=XMLHttpRequest" + (options.data === "") ? "" : "&" + options.data; } options.data = options.data + "&" + token.name + '=' + token.value; } } } );
Limitations
- Users must accept cookies otherwise the [ValidateAntiForgeryToken] will deny their form’s posts
- Works only with POST request
- Can be bypassed if the application has XSS vulnerabilities since it will be possible to read _RequestVerificationToken value