CSRF – Cross Site Request Forgery

Background: What is a CSRF (Cross site request forgery)? The concept is best explained with an example. Say there is a website (MyBank) with some functionality to transfer money. Say a user logins into the website and transfers money to their friend B. The user then looks at another site (MyFavoriteTeam). Unfortunately the other site […]

SQL Injection : Parameterization Code Review

In c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText = selectString; cmd.Connection = conn; cmd.ExecuteReader(); The code above should be using parameterized statements or stored procedures. A parameterized statement is shown […]

ASP.NET (Server\Passive) XSS Encoding Code Review

When code reviewing ASP.NET MVC application to prevent passive XSS issues (for an example of an active XSS issue see ASP.NET (Client\Active) XSS) there are two areas broadly to consider, what is 1) being submitted and stored in your db in the first place i.e. prevent anything nasty from being stored in the first place 2) being […]

Direct Object Reference within an MVC controller

A Direct Object Reference security breach occurs when a user changes an id, usually within a url (or perhaps a hidden field) and suddenly sees information (or performs an action) that he or she is not supposed to be able to do. So a the url had in it “order=1″ and a user changes it to “order=2″ hopefully the website […]

ASP.NET (Client\Active) XSS

Below is an example of active\client XSS that I ran into sometime ago. Active\client XSS refers to the situation when the user themselves does something to inject malicious code or html into a website that compromises themselves. You are probably thinking why on earth would they do that. Well below is a good example of how a […]

IIS Retail set to True

One handy deployment tip is to set IIS retail mode to true in the Machine.config: <system.web> <deployment retail=”true”/> </system.web> This will disable tracing output & debug mode and also force custom errors to On. Note if you are trying to debug a problem on webserver using CustomErrors set to remoteonly and it is not working this […]

Balancing User experience UX (usability) versus security

When designing a security system for a website, one of the consideration is user experience versus security. For instance displaying the following different error messages often leaks information file not found folder not found server error has occurred username not found email address not found As someone enters different urls then information about your website […]

Uploading and Storing Files Safely on a Website

Letting users upload files into a website is an area that requires careful management. Obviously there is a decision to be made around whether to store the file in a database or on the file system. Also the file should be virus scanned. Note that in business systems users can often upload files like pdf that […]

RequireSSL – Marking Cookies As Secure

If your site always intends to serve its content over HTTPS/SSL then every request that is passes between the browser\webserver will encrypt the cookies. Excellent – no one monitoring or sniffing the traffic can see the cookie value. However even if you intend to always use HTTPS if ANY content is supplied over http (javascript files, images, […]

Mark Cookies as HTTPONLY

Marking your cookies as HTTPONLY will mean that JavaScript code running in most browsers cannot access a user’s cookies. This is important as if a hacker does manage to compromise your site and inject JavaScript it may be possible for the hacker to steal values of cookies (including security cookies). If HTTPONLY is set on the cookies […]