CSRF (ASP.NET MVC): Code Review – ValidateAntiForgeryToken

Before we look at code reviewing for CSRF If you need to apply a CSRF token to standard screen see here – CSRF – Cross Site Request Forgery. If you need to apply a CSRF token to an ajax post see here – CSRF – AntiForgeryToken and AJAX To code review for CSRF across a lot […]


ASP.NET (Server\Passive) XSS Encoding Code Review

When code reviewing ASP.NET MVC application to prevent passive XSS issues (for an example of an active XSS issue see ASP.NET (Client\Active) XSS) there are two areas broadly to consider, what is 1) being submitted and stored in your db in the first place i.e. prevent anything nasty from being stored in the first place 2) being […]

Direct Object Reference within an MVC controller

A Direct Object Reference security breach occurs when a user changes an id, usually within a url (or perhaps a hidden field) and suddenly sees information (or performs an action) that he or she is not supposed to be able to do. So a the url had in it “order=1″ and a user changes it to “order=2″ hopefully the website […]

ORM\ERM and hidden fields

Hidden fields can pose a major security risk when used in conjunction with ORM\ERM. An ORM\ERM provides a way to map your classes into a database scheme and usually provides code to retrieve and save the objects. Sometimes the mapping is a simple 1:1 between the class and the database tables behind it or it can […]

ASP.NET (Client\Active) XSS

Below is an example of active\client XSS that I ran into sometime ago. Active\client XSS refers to the situation when the user themselves does something to inject malicious code or html into a website that compromises themselves. You are probably thinking why on earth would they do that. Well below is a good example of how a […]

IIS Retail set to True

One handy deployment tip is to set IIS retail mode to true in the Machine.config: <system.web> <deployment retail=”true”/> </system.web> This will disable tracing output & debug mode and also force custom errors to On. Note if you are trying to debug a problem on webserver using CustomErrors set to remoteonly and it is not working this […]

Accessing Databases from your applications

The best advice really depends on how your infrastructure is configured and how complex your deployment is. Is the code split between web and app servers? Which domains do the machines sit on (web, app, sql) are they all one domain or different domains? As with all things one size does not fit all -however […]