CSRF – AntiForgeryToken and AJAX

Below shows how to apply an Cross Site (anti) Forgery – CSRF) token to MVC page that posts data using Ajax. This is converted from the following stackoverflow question here. First wire up the ajax call and check it works. Then add the [ValidateAntiForgeryToken] and [HttpPost] attribute to your action in the controller. At this […]

SQL Injection: Stored Procedures & EXEC, SP_EXECUTE

Stored procedures are generally a good way of preventing SQL injection as they encourage parameterisation. A big exception to this rule is if exec\execute\sp_executesql is used within a stored procedure, these may run a string built up from component parts. These component parts can have malicious code injected into them. The contents of your stored procedure […]

SQL Injection: Use Parameters

The biggest cause of SQL injection is developers not using parameterised statements or stored procedures (which are usually parameterised). For example in c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText […]

Direct Object Reference – URL tampering : Code Review

Before worrying about direct object reference issues first check that your controllers and actions are secured. Does every controller have [Authorize(XXX)] added to it? If not understand why Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action […]

CSRF – Cross Site Request Forgery

Background: What is a CSRF (Cross site request forgery)? The concept is best explained with an example. Say there is a website (MyBank) with some functionality to transfer money. Say a user logins into the website and transfers money to their friend B. The user then looks at another site (MyFavoriteTeam). Unfortunately the other site […]

SQL Injection : Parameterization Code Review

In c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText = selectString; cmd.Connection = conn; cmd.ExecuteReader(); The code above should be using parameterized statements or stored procedures. A parameterized statement is shown […]

SQL Injection EXECUTE\EXEC\SP_EXECUTE : Code Review

This review is around the misue of EXECUTE\EXEC\SP_EXECUTE in stored procedures. To find the at risk stored procedures run the query below: SELECT DISTINCT o.name AS Object_Name, o.type_desc FROM sys.sql_modules m INNER JOIN sys.objects o ON m.object_id = o.object_id WHERE m.definition Like ‘%exec%’; Then scan the contents of anything returned. 95% will be eliminated with […]

ASP.NET (Server\Passive) XSS Encoding Code Review

When code reviewing ASP.NET MVC application to prevent passive XSS issues (for an example of an active XSS issue see ASP.NET (Client\Active) XSS) there are two areas broadly to consider, what is 1) being submitted and stored in your db in the first place i.e. prevent anything nasty from being stored in the first place 2) being […]