Monday, June 27, 2016

.NET : Web Vulnerability and prevent attack

SQL Injection

Enables an attacker to execute SQL using the malicious sql string in the form. The attacker can view all the data and/or delete data etc.

Prevent Attack
-Use Entity framework and it takes care of generating SQL text. However if you use SqlQuery method then we are vulnerable. eg (_context.users.SqlQuery("select * .." + input);
-Use @param in sql string

XSS - cross site scripting

Enable an attacker to execute malicious script on the victim's computer or web page

Prevent Attack
- escape (eg &lt;script&gt) and not raw (<script>)
- ASP.net MVC rejects JavaScript in inputs by default (web.config)
- Razer views escape content (exception Html.Raw())

CSRF - Cross-site Request Forgery

Allows an attacker to perform actions on behalf of a user without their knowledge

Prevent Attack
-using @Html.AntiForgeyToken()
-using filter in controller action [ValidateAntiForgeryToken]