SQL Injection
Enables an attacker to execute SQL using the malicious sql string in the form. The attacker can view all the data and/or delete data etc.
-Use Entity framework and it takes care of generating SQL text. However if you use SqlQuery method then we are vulnerable. eg (_context.users.SqlQuery("select * .." + input);
-Use @param in sql string
XSS - cross site scripting
Enable an attacker to execute malicious script on the victim's computer or web pagePrevent Attack
- escape (eg <script>) and not raw (<script>)
- ASP.net MVC rejects JavaScript in inputs by default (web.config)
- Razer views escape content (exception Html.Raw())
CSRF - Cross-site Request Forgery
Allows an attacker to perform actions on behalf of a user without their knowledgePrevent Attack
-using @Html.AntiForgeyToken()
-using filter in controller action [ValidateAntiForgeryToken]