XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]


XSS Prevention – Request Validation

Out of the box ASP.NET request validation will check for potentially dangerous input in cookies, url query string or posted form values. If any javascript or html is detected the validation will respond with “potentially dangerous input was detected”. This is the first line of defence. Of course in some cases you may wish to […]

Using Components with Known Vulnerabilities

OWASP lists “Using Components with Known Vulnerabilities” as a major issue. Developers tend to pull in libraries from nuget and other sources rather than writting their own components. In general these components are probably of a better quality than an individual would write. However as they are in the public domain once a weakness is […]

Unvalidated Redirects and Forwards

An unvalidated redirect or a forward is when your website for whatever reason redirects a user to a different webpage. There is a risk is that a hacker somehow takes control of where the redirection takes the user. If the redirect is unvalidated (i.e. you don’t check where it is going) then there is a danger […]

CSRF – AntiForgeryToken and AJAX

Below shows how to apply an Cross Site (anti) Forgery – CSRF) token to MVC page that posts data using Ajax. This is converted from the following stackoverflow question here. First wire up the ajax call and check it works. Then add the [ValidateAntiForgeryToken] and [HttpPost] attribute to your action in the controller. At this […]

SQL Injection: Stored Procedures & EXEC, SP_EXECUTE

Stored procedures are generally a good way of preventing SQL injection as they encourage parameterisation. A big exception to this rule is if exec\execute\sp_executesql is used within a stored procedure, these may run a string built up from component parts. These component parts can have malicious code injected into them. The contents of your stored procedure […]

SQL Injection: Use Parameters

The biggest cause of SQL injection is developers not using parameterised statements or stored procedures (which are usually parameterised). For example in c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText […]

Direct Object Reference – URL tampering : Code Review

Before worrying about direct object reference issues first check that your controllers and actions are secured. Does every controller have [Authorize(XXX)] added to it? If not understand why Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action […]

CSRF – Cross Site Request Forgery

Background: What is a CSRF (Cross site request forgery)? The concept is best explained with an example. Say there is a website (MyBank) with some functionality to transfer money. Say a user logins into the website and transfers money to their friend B. The user then looks at another site (MyFavoriteTeam). Unfortunately the other site […]