Difference between revisions of "CRV2 FrameworkSpecIssuesASPNet"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
= ASP.NET Security =
 
= ASP.NET Security =
  
== Sanitize Input ==
+
== Input validation Input ==
Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also dsata retrieved from a web service or database, headers sent from the browsers.
+
Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, headers sent from the browsers fall under this concept.
  
A way of defining when input is safe can be done through defining a trust boundary
+
Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):
 +
 
 +
{| cellpadding=5 style="border:1px solid #BBB"
 +
|AA || CC || EE
 +
|-
 +
|BB || DD || FF
 +
|}
 +
 
 +
A way of defining when input is safe can be done through defining a trust boundary.
 
== Data Encryption ==
 
== Data Encryption ==
 
== Authentication and Authorization==
 
== Authentication and Authorization==
  
 
== creating a Semi- Trusted Application ==
 
== creating a Semi- Trusted Application ==

Revision as of 21:47, 13 July 2013

ASP.NET Security

Input validation Input

Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, headers sent from the browsers fall under this concept.

Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):

AA CC EE
BB DD FF

A way of defining when input is safe can be done through defining a trust boundary.

Data Encryption

Authentication and Authorization

creating a Semi- Trusted Application