hi,
building secure sites is not only about throwing in some counter
measure - it is a combination of
- Threat Modeling leading to
- prevention
- detection
- reaction
good input validation is a prereq - but there is more
auth & authZ, least privilege, server hardening, error handling,
logging & instrumentation, data & communication protection etc...
HtmlEncode is OK if you are emitting the output to HTML - if you are
concatenating input into script blocks - this won't help you.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Ok, so it seems that the ASP.NET protection against malicius code is
just a basic one that need to be enanched with coder work.
Given that I've no need to allow any HTML tag and that my users only
need to input plain text, would HTMLEncode() and URLEncode() be
enough for this?
Are there any other countermeasure that must be omplemented in order
to build a secure site (apart from authentication and authorization
that I give as assumptions)?
Dominick Baier [DevelopMentor] wrote:
hi,
reasons are
a) black vs. white listing
b) the ValidateRequest feature was bugged in the past - don't rely
on it
c) only the most obvious characters are blocked, like '<'
otherwise there would be too many false positives
d) you may need to accept characters which are considere illegal -
and you have to turn off the automatic validation
e) does not find more subtle attacks
ValidateRequest is a defense-in-depth measure meant to augment
*not*
replace input validation.
---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com
Hi Paolo,
Thanks for your reply.
I foud the article very interesting but it failed to answer my
former question.
For what I understand XSS attack consist in the attacker
redirecting a visitor to a victim web site while inserting his
own script in a field (hidden on unnoticed) of the web site so
that when user interacts with the web site the code is executed.
If this is correct then my question rise again. If the ASP.NET
framework validate all form's fields input for harmfull values
(let's says script identifiers) how can be the attacker's code
executed?
That's my point.
From what I read form the article it seems that the ASP.NET
protection could be faulty being based in "black lists" instead of
"white lists" and being so unable to handle new script identifiers
of new harmfull code. Is that the reason?
Anyway I still don't understand why MS advise you in the online
help to validate all user input against special carachters if the
ASP.NET framework already does it. In this way they are covertly
saying that the ASP.NET protection doesn't always works.
I'm still a bit confused about this.
Paolo De Nictolis, Eng. [441410] wrote:
Hi Arturo,
please check AntiXSS Library:
http://www.programmazione.it/index.php?entity=eitem&idItem=33147.
Paolo
"Arturo Buonanni" <
[email protected]>
wrote in message
I'm a programmer new to ASP.NET and web development in general.
I'm going to code a web application and I'm concerned about the
security issues that arise on this field (that's new to me).
I'm using VWD2005 Express Ed. and I've read the online help
about security.
Now I've a doubt about one thing. The online help states that
you have to validate every user input against script exploit and
SQL injection and that's quite fair. But it also states that
ASP.NET validates every "request" against potentially harmfull
values (ie. scripts). Now, if ASP.NET doesn't allows dangerous
values in the request for pages, how can one use scrips exploit?
Why code against script expliot in every page if dangelous
values are not meant to ever reach the page?
I'm new to web development as I've said so I'm probably missing
something and I'd like to know what it is.
Thanks.