Learn about basic security issues for ASP.NET MVC organised by OWASP issue.
For day to day development I would note A1 Injection, A3 Cross-Site Scripting (XSS), A4 Insecure Direct Object References and A8 Cross-Site Request Forgery (CSRF) to begin with as these are fairly practical issues your entire team need to understand.
OWASP: A1 Injection
- SQL Injection: Use Parameterisation
- SQL Injection: Stored Procedures & EXEC, SP_EXECUTE
- SQL Injection : Code Review Hint 1
- SQL Injection : Code Review Hint 2
OWASP: A2 Broken Authentication and Session Management
- Weak\Broken Authentication and Session Management
- Salt and hash your passwords
- Securing Password Change Top 10, well 13
OWASP: A3 Cross-Site Scripting (XSS)
- ASP.NET (Client\Active) XSS Example
- XSS Prevention – Request Validation
- XSS Prevention – Validating User Input
- ASP.NET (Server\Passive) XSS Code Review
- The following make life harder for a hacker for a few hours work
OWASP: A4 Insecure Direct Object References
- Direct object reference\Function Level Access Control
- ORMS & hidden fields
- Direct Object Reference – URL tampering : Code Review Hints
OWASP: A5 Security Misconfiguration
- Uploading files
- Accessing databases
- HTTPOnly cookies
- Require SSL cookies
- Deploy files carefully
- IIS retail set to true
- SSL RC4 issues
- Serve Your Login Page using HTTPS\SSL
- Security Stamping (for device loss)
- Secret questions and answer design
OWASP: A6 Sensitive Data Exposure
- Coming Soon
OWASP: A7 Missing Function Level Access Control
OWASP: A8 Cross-Site Request Forgery (CSRF)
OWASP: A9 Using Components with Known Vulnerabilities
OWASP: A10 Unvalidated Redirects and Forwards
General Articles