Difference between revisions of "CRV2 FrameworkSpecIssuesASPNet"

From OWASP
Jump to: navigation, search
Line 2: Line 2:
  
 
== Input validation Input ==
 
== Input validation Input ==
Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, headers sent from the browsers fall under this concept.
+
Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, also headers sent from the browsers fall under this concept.
  
 
Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):
 
Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):
  
{| cellpadding=5 style="border:1px solid #BBB"
+
{| class="wikitable"
|Type of validation  || Control to use  || Description
+
 
|-
 
|-
|Required entry|| RequiredFieldValidator|| Ensures that the user does not skip an entry. For details, see How to: Validate Required Entries for ASP.NET Server Controls.
+
! Type of validation  !! Control to use  !! Description
|Comparison to a value|| CompareValidator|| Compares a user's entry against a constant value, against the value of another control (using a comparison operator such as less than, equal, or greater than), or for a specific data type. For details, see How to: Validate Against a Specific Value for ASP.NET Server Controls and How to: Validate Against a Data Type for ASP.NET Server Controls.
+
|-
|Required entry|| DD || FF
+
| Required entry|| RequiredFieldValidator || Ensures that the user does not skip an entry.  
|Required entry|| DD || FF
+
|-
|Required entry|| DD || FF
+
| Comparison to a value || CompareValidator || Compares a user's entry against a constant value, against the value of another control (using a comparison operator such as less than, equal, or greater than), or for a specific data type.  
 +
|-
 +
| Range checking || RangeValidator || Checks that a user's entry is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.  
 +
|-
 +
| Pattern matching || RegularExpressionValidator || Checks that the entry matches a pattern defined by a regular expression. This type of validation enables you to check for predictable sequences of characters, such as those in e-mail addresses, telephone numbers, postal codes, and so on.
 +
|-
 +
| User-defined || CustomValidator  || Checks the user's entry using validation logic that you write yourself. This type of validation enables you to check for values derived at run time.
 
|}
 
|}
  

Revision as of 21:55, 13 July 2013

Contents

ASP.NET Security

Input validation Input

Anything coming from external sources can be consider as input in a web application. Not only the user inserting data through a web form, but also data retrieved from a web service or database, also headers sent from the browsers fall under this concept.

Defining what is known as trust boundary can help us to visualize all possible untrusted inputs. ASP.NET has different types of validations depending on the level of control to be applied. By default, web pages code is validated against malicious users. The following is a list types of validations used (MSDN, 2013):

Type of validation Control to use Description
Required entry RequiredFieldValidator Ensures that the user does not skip an entry.
Comparison to a value CompareValidator Compares a user's entry against a constant value, against the value of another control (using a comparison operator such as less than, equal, or greater than), or for a specific data type.
Range checking RangeValidator Checks that a user's entry is between specified lower and upper boundaries. You can check ranges within pairs of numbers, alphabetic characters, and dates.
Pattern matching RegularExpressionValidator Checks that the entry matches a pattern defined by a regular expression. This type of validation enables you to check for predictable sequences of characters, such as those in e-mail addresses, telephone numbers, postal codes, and so on.
User-defined CustomValidator Checks the user's entry using validation logic that you write yourself. This type of validation enables you to check for values derived at run time.

A way of defining when input is safe can be done through defining a trust boundary.

Data Encryption

Authentication and Authorization

creating a Semi- Trusted Application