Securing Standard Controls
The ASP.NET standard controls are a group of controls that enable you to create forms in which users can type or select information before a page is posted back to the server. Standard controls are Web server controls that inherit from the Control class. Examples of Web server controls include the TextBox, Image, and AdRotator controls. The information in this topic describes configuration and coding best practices that will help you improve the security of standard controls.
While following coding and configuration best practices can help improve the security of your application, it is also important that you continually keep your application server up to date with the latest security updates for Microsoft Windows and Internet Information Services (IIS), as well as any security updates for Microsoft SQL Server or other data sources.
More detailed information about best practices for writing secure code and securing applications can be found in the book "Writing Secure Code" by Michael Howard and David LeBlanc, or through the guidance provided by Microsoft Patterns and Practices.
Information about special security practices for other types of controls is also available in the following topics:
The AdRotator control displays advertisements defined in an advertisement file, which by default is an XML file. Alternatively, you can store advertisements in a database and extract them programmatically. To help secure the AdRotator control, follow these guidelines:
If you are using an XML file to store advertisement information, place the file in the Web site's App_Data folder, because the contents of the folder will not be served in response to Web requests.
For extra protection, do not use the .xml file name extension on advertisement files. Instead, use an extension such as .ads, and then map the .ads extension to ASP.NET in IIS and to the forbidden handler in ASP.NET using the following element in the site's Web.config file:
<httpHandlers> <add verb="*" path="*.ads" type="System.Web.HttpForbiddenHandler" /> </httpHandlers>
For information on how to map a file name extension to ASP.NET in IIS, see How to: Register HTTP Handlers.
Set appropriate permissions (typically read-only) for the user account or accounts that will be reading the advertisement file. If the Web site supports anonymous access, this is usually the local ASPNET user account or the NETWORK SERVICE account.
If the advertisement file does not exist, the AdRotator control raises an error that displays the path and name of the file, which reveals potentially sensitive information. Avoid this problem by following proper error-handling techniques, including setting the customErrors element in the configuration file to redirect to a custom error page and creating a global error handler that is called if an unhandled exception occurs anywhere in the application. For details, see How to: Display Safe Error Messages.
If you are reading advertisement information from a database, follow the guidelines for securing access to the database. For details, see Securing Data Access.
Carefully examine any advertisement information that you get from an untrusted source before using it with the AdRotator control. Because the AdRotator control does not perform any validation or check the information it reads from the advertisement file, it renders images and URLs to the Web page exactly as they appear in the ad file or database.
BulletedList, CheckBoxList, RadioButtonList, DropDownList, ListBox
The BulletedList, CheckBoxList, DropDownList, ListBox, and RadioButtonList controls render different types of HTML elements (ul, input, and select) based on the contents of collections or on data in a database. To help secure these controls, follow these guidelines:
If the controls read from a database, follow the guidelines for securing access to the database. For details, see Securing Data Access.
If you are unsure whether the information to be displayed contains script or other markup, handle the control's DataBinding event and HTML-encode the information before displaying it. For details, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
If the BulletedList control is configured to display graphics or hyperlinks, make sure that the URL for the graphic or link points to a trusted location.
The Calendar control renders LinkButton controls to enable navigation in the calendar. LinkButton controls use client script to perform a postback. If a browser has turned off client script for security purposes, the Calendar control will not support navigation.
You can always use the Calendar control to display dates, even if you are not using it to enable date navigation. Do not assume that any selected dates in a Calendar control are formatted correctly. When converting dates from the Calendar control to an internal DateTime format, be sure to use appropriate error handling in case the date is not in the correct format.
Do not trust files that are uploaded by users; malicious users might try to upload executable files. When you save an uploaded file, check its file name extension or assign your own extension to the file.
Do not allow users to specify an arbitrary path for the location to save the uploaded file. Check that the name of the file does not contain path information that you have not added yourself.
Do not reveal the internal structure of your Web site to users who are uploading files.
Set read/write permissions for the user account or accounts that will be running the application on the folder or folders where the uploaded files will be saved. If the Web site supports anonymous access, this is generally the local ASPNET user account or the NETWORK SERVICE account. However, limit read/write permissions to only the folder or folders where the application stores uploaded files.
Guard against denial-of-service attacks by setting the maxRequestLength attribute of the httpRuntime element in the configuration file. By default, the maximum request length is 4 megabytes (MB). Other configuration settings that can affect the size of uploaded files are the requestLengthDiskThreshold attribute of the httpRuntime element and the memoryLimit attribute of the processModel element.
The HiddenField control provides you with a way to set the contents of HTML <input type="hidden"> elements in server code. Hidden fields are used to store information in the page that is useful during page processing but should not be seen by users. To help secure the HiddenField control, follow these guidelines:
Do not store sensitive information in HiddenField controls. Although the information is not visible in the browser, it is part of the page and users can easily view it in the page's source.
Do not trust information in hidden fields. Malicious users can tamper with the content of hidden fields.
The HyperLink control renders a URL to the browser. Be sure that the URL points to a trusted location.
Image and ImageMap Controls
The ImageButton control renders an image (img element) that uses client script to perform a postback. If a browser has turned off client script for security purposes, the control will not function.
To display the graphic, the control renders a URL to the browser. Be sure that the URL points to a trusted location.
Label and Literal Controls
The Label and Literal controls display text on the page by passing it through to the browser as-is. (The Label control additionally enables you to specify formatting.) If the text contains HTML markup, by default the browser will interpret the markup and render the text accordingly, which might include running scripts.
If you are using the Label control and are unsure whether the text might contain malicious content, use HTML encoding to convert the HTML to its text representation. For details, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
If you are using the Literal control and are unsure whether the text might contain malicious content, do one of the following:
Use HTML encoding to convert the HTML to its text representation. For details, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
For more information, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
The LinkButton control renders a link (a element) that uses client script to perform a postback. If a browser has turned off client script for security purposes, the control will not function.
If you switch views based on something that can be easily tampered with, such as a URL query string, you could enable someone to see a view that they are not supposed to see. Therefore, be sure that the mechanisms for switching views are as secure as possible. For more information, see ASP.NET State Management Overview.
Because the TextBox control allows users to enter almost any text into the page, you must be careful when accepting user input with this control. To help secure the TextBox control, follow these guidelines:
Use validation controls whenever possible to limit the users' input to acceptable values. For details, see Introduction to the Validation Controls.
Ensure that the IsValid property is set to true before running your server code.
Use redundant server validation. This is especially true for CustomValidator controls; do not create only client-side validation logic.
Set the TextBox control's MaxLength property to limit the quantity of text that users can enter. Malicious users can affect the performance of your application and potentially cause database errors by sending huge quantities of information in a text box.
Encode user input with the HtmlEncode method, which turns HTML into its text representation (for example, <b> becomes <b>), and which helps prevent the HTML from being executed in a browser. For details, see How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings.
Set the TextMode property to Password to prevent the contents of the text box from being viewed in the text box (by displaying dots). Note that setting the TextMode property to Password provides no other protection; the contents of the text box are not encrypted or otherwise obfuscated, and the information is sent to the server as clear text. Therefore, when using Password, provide additional methods for ensuring that data is secured.
If you are collecting sensitive information, such as a password or credit card number, use Secure Sockets Layer (SSL) to secure communication between the client and server. This applies to any use of TextBox controls, including controls that incorporate TextBox controls, such as the CreateUserWizard control.
The Wizard does not inherently protect sensitive information. If you are collecting sensitive data in the wizard, use SSL to secure communication between the client and server for the page containing the Wizard.
To support its functionality, the Wizard control includes a number of non-visible controls. A user can potentially manipulate those controls and their values to display wizard steps out of order or to display wizard steps that should be displayed to only some users. To help prevent this, ensure that wizard steps are displayed in the correct order, and that steps with sensitive information are not displayed unless the correct conditions apply.
When you are displaying the contents of an XML file, if practical, place the XML file in the in your site's App_Data folder because the contents of the folder will not be served in response to Web requests.
Display XML only from trusted sources.
Use transformations only from trusted sources.