Asp.Net Application Security.

  • Article

I was recently helping a colleague with a customer who was running a security check against their IIS Server on Windows Server 2008.
(Editor’s Note: This is an extremely good thing to do and we do recommend that everyone runs a security check against their server.)

The security tool they used highlighted that the server was running Asp.Net and might be vulnerable to cross-site scripting attacks.

The Asp.Net engine does validate every request that comes in.
We do however recommend that you still ensure your application is not susceptible to the scripting attacks that are out there.

In my reply I highlighted the following links.

Asp.Net Web Application Security.
https://msdn.microsoft.com/en-us/library/330a99hc.aspx

PagesSection.ValidateRequest (This setting enables request validation on the incoming request.)
https://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.validaterequest.aspx

For more on Scripting Exploits read this.
https://msdn.microsoft.com/en-us/library/w1sw53ds.aspx

How Do I Understand and Defend Against Script Injection Attacks in ASP.NET
https://msdn.microsoft.com/en-us/library/w1sw53ds.aspx

Prevent JavaScript Attacks.
https://www.asp.net/mvc/tutorials/older-versions/security/preventing-javascript-injection-attacks-cs

XSRF/CSRF Prevention in ASP.NET MVC and Web Pages
https://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages

 

I hope this helps.