Tip 1, Always encode user input content before showing it on web page. You can do this simply by using Html.Encode() for innerHTML, Html.AttributeEncode() for attribute values and Url.Encode() for href link values.
You should know code expressions in Razor are implicitly HTML encoded, therefore in cases you do need to render some HTML value that should not be HTML encoded you can use the Html.Raw() method to ensure that the value is not encoded. BUT by doing so you have thrown open the door to evil.
Tip 2, Always JavaScript Encode user input values in your JavaScript code. You can use Ajax.JavaScriptStringEncode() to do this. The reason behind this is the html encode methods mentioned in Tip 1 cannot fully stop the XSS attacks because the html encoding cannot handle hex escape string but DOM does. Therefore the hacker may use your JS code to pass hex escape string into DOM object and the DOM object will convert the string back to JavaScript code and hurt you. Have a look the code below:
1: <div id="test">Text here is suppose to be replaced</div>
2: <script type="text/javascript">
3: $(function () {
4: $("#test").html(
5: '@Html.Encode("\\x3cscript\\x3e alert(\\x27oops\\x27) \\x3c/script\\x3e")');
6: });
7: </script>
Copy the code into your razor page and run it you will see an alert message says “oops”.
Tip 3, Follow the listed principles below to prevent CSRF attacks (if you don’t know what CSRF is please google it).
- First thing first, you need follow Tip1 and 2 to make you site XSS proof
- Always use POST instead of GET to submit data changes
- Validate HTTPReferrer by checking the HttpContext.Request.UrlReferrer to see if the client that posted the data was indeed from your site page
- Put token Verification in your form. You can use Html.AntiForgeryToken() to create a hidden token value in your form and in the related controller use ValidateAntiforgeryToken attribute to check if the token is matched
Tip 4, Protect your open redirection URL. The ASP.NET MVC 3 template includes code to protect against open redirection attacks in its AccountController after user successfully log on. You need also do similar thing in other places where a potential URL redirection may occur.
Tip 5, Use the AuthrizeAttribute to require a login access or role membership access. AuthrizeAttribute can be used on Action level or Controller level. You can use FormsAuthentication.SetAuthCookie() to keep the user login info into http cookie and it can be read by calling User.Identity.IsAuthenticated() in the requested Controller.
Tip 6, Use ValidationAttibute to do view-model level data value validation automatically. Most of the ValidationAttributes support client side validation if related jQuery lib file included which is a huge benefit for us developers.
Tip 7, Prevent over posting data through ASP.NET MVC3 model binding feature which can allow your attacker an opportunity to populate model properties you didn’t even put on your input forms. You can use BindAttribute to specify the name of properties which allow auto model binding. Alternatively you can do a manual data binding by calling UpdateModel() or TryUpdateModel() methods in the controller.
Still another way to deal with over-posting is to avoid binding directly to the data model. You can
do this by define a View-Model class that holds only the properties you want to allow the user to set.
No comments:
Post a Comment