XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]

SQL Injection: Stored Procedures & EXEC, SP_EXECUTE

Stored procedures are generally a good way of preventing SQL injection as they encourage parameterisation. A big exception to this rule is if exec\execute\sp_executesql is used within a stored procedure, these may run a string built up from component parts. These component parts can have malicious code injected into them. The contents of your stored procedure […]

Direct Object Reference – URL tampering : Code Review

Before worrying about direct object reference issues first check that your controllers and actions are secured. Does every controller have [Authorize(XXX)] added to it? If not understand why Then for those controllers missing [Authorize(XXX)] check each action has [Authorize(XXX)] applied to it. Again if this is missing ask why is it missing? Does it make sense for the action […]

CSRF – Cross Site Request Forgery

Background: What is a CSRF (Cross site request forgery)? The concept is best explained with an example. Say there is a website (MyBank) with some functionality to transfer money. Say a user logins into the website and transfers money to their friend B. The user then looks at another site (MyFavoriteTeam). Unfortunately the other site […]

SQL Injection : Parameterization Code Review

In c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText = selectString; cmd.Connection = conn; cmd.ExecuteReader(); The code above should be using parameterized statements or stored procedures. A parameterized statement is shown […]


This review is around the misue of EXECUTE\EXEC\SP_EXECUTE in stored procedures. To find the at risk stored procedures run the query below: SELECT DISTINCT o.name AS Object_Name, o.type_desc FROM sys.sql_modules m INNER JOIN sys.objects o ON m.object_id = o.object_id WHERE m.definition Like ‘%exec%’; Then scan the contents of anything returned. 95% will be eliminated with […]

Direct Object Reference within an MVC controller

A Direct Object Reference security breach occurs when a user changes an id, usually within a url (or perhaps a hidden field) and suddenly sees information (or performs an action) that he or she is not supposed to be able to do. So a the url had in it “order=1″ and a user changes it to “order=2″ hopefully the website […]

ASP.NET (Client\Active) XSS

Below is an example of active\client XSS that I ran into sometime ago. Active\client XSS refers to the situation when the user themselves does something to inject malicious code or html into a website that compromises themselves. You are probably thinking why on earth would they do that. Well below is a good example of how a […]