Jeff Prosise on Hacking ASP.NET Web Applications

Last night I was fortunate to be able to attend a local VBUG meeting where Jeff Prosise of Wintellect talked about ASP.NET Security and specifically the threats posed to your ASP.NET applications. Jeff is in the UK for DevWeek ("the UK's leading technical conference for software developers") where he's talking about ASP.NET 2.0. As an INETA speaker, Jeff's services are often made available to INETA affiliated user groups. If you get the chance to see Jeff in action, I urge you to take it!

Jeff's VBUG session focussed on three main areas of threat:

• Hidden field tampering
• SQL injection
• Cross site scripting

as well as a few other potential security risks to be aware of. I particulary liked his positioning of security: "...there's lots of insecure code out there. It's not that the people who write it aren't smart people, they're just not always aware of the threats .... there's always someone out there half your age trying to prove they're twice as smart."

I'm not going to go into details here but I do want to mention the measures Jeff recommended to secure your application against such attacks:

• Hidden field tampering
  • Never embed sensitive data in hidden fields
  • Roundtrip to the database to retrieve sensitive data if required
  • Even better, use viewstate which is tamperproof and can be encrypted if required
• SQL injection attacks
  • Validate user input and constrain it to legitimate values
  • Avoid dynamic SQL queries - use parameterised queries or preferably stored procedures and restrict permissions
  • Never use the SA account to access the DB from your application
• Cross site scripting
  • Again, validate user input, especially if you're going to echo it
  • Never echo raw user input to a page without HTML encoding it first

There's an excellent article by Dino Esposito on the MSDN website covering these and other threats to your ASP.NET applications - "Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks"