Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- we would like to verify and test the user inputs that comes from untrusted data sources.
- all user inputs are untrusted.
- client side validation and server side validation
- we will filter the input for rejecting or accepting from the user with the predefined criteria
- we will also encode the outputs to the site which comes from the input of the user
- - by making sure that the output is treated as data purely and not as character itself
- 1.the importance of robust input validation
- can lead to injection and xss attacks
- should be validated agaist datatype,minimum and maximum length
- null or notnull,numeric range,unique or not, from the list of predefined,pattern
- input filtering-checking for known good values or known bad values or with regular expression
- white listing or blacklisting
- white listing is preferred
- 2.secure input validation using webforms,asp.net core and mvc
- -webforms-use validation controls, various types available
- -asp.net core
- -use CSP header in the HTTP response
- -install microsoft.aspnet.webutilities
- -mvc
- -use modelstate to valiate for strong type along with the error message
- -don't redirect without validating
- -use proper data annotation
- -
- 3.code techniques for sql injection attacks
- -what is sql injection
- -paramaterized statements,
- -stored procedures
- -escape routines to replace the characters
- -use least privileged account, avoid damaging statements to be executed
- 4.code techniques for XSS attacks
- -what is xss attack
- -validate the input and also encode the output
- -make sure everything going out to the browser is treated as data or text
- -we need to inform the renderer or interpreter that everything is text and don't execute or render them
- -use HTMLEncode
- -user URLEncode
- -user Anti XSS Library
- 5.code techniques for parameter tampering attacks
- -check data with trusted source-example changing user password must be done after checking the user exitence in usermanager(mvc)
- -encrypt and decrypt if needed
- 6.code techniques for directory traversing attacks
- webforms
- -use path.combine after using server.mappath
- -disable directory browsing
- -check for first n characters of requested file path is similar to documentroot
- -do not serve unknow file types-set serverunknownfiletype to false
- -set static files location to wwwroot
- -
- 7.code techniques for open redirect attacks
- -asp.net core
- -check for islocalurl before redirecting
- -disable x frame options to avoid clickjacking
- -use CORS effectively
- -never allow all origin, it will accept from all domains
Add Comment
Please, Sign In to add comment