Securing Password Change Top 10, well 13

By password change I mean when a logged on user decides to update their password i.e. they know the current password. The following need consider Remember to add the functionality in the first place as it is good practise Make sure the pages and responses are over HTTPS The user should have to enter their original […]

Salt and hash your passwords

Encryption attempts to secure information by passing it through algorithms that are difficult to crack without the appropriate keys. By definition anything encrypted can be reverse engineered by design. Hashing takes a string (A) and passes it through an algorithm to make another string (B) in such in manner that reverse engineering string (B) to […]

Security Stamping

Consider the following scenario: A user logs on to website with device A and does not log off Perhaps they lose the device e.g. a smart phone The user then panics, logs on to device B (laptop) goes to the website and changes their password The user would hope that device A no longer works […]

XSS – Validating User Input

Server\Passive XSS is when a malicious script or HTML is injected by a hacker, usually through your website, and is then persisted or stored somewhere – this is usually in your database. Then another user views a page that references the content, the website passes the malicious script or HTML to the innocent user’s browser and […]

XSS Prevention – Request Validation

Out of the box ASP.NET request validation will check for potentially dangerous input in cookies, url query string or posted form values. If any javascript or html is detected the validation will respond with “potentially dangerous input was detected”. This is the first line of defence. Of course in some cases you may wish to […]

SQL Injection: Use Parameters

The biggest cause of SQL injection is developers not using parameterised statements or stored procedures (which are usually parameterised). For example in c# code it is possible to call SQL commands using the SqlCommand object like below: string selectString = @”select MyColumn from Mytable where MyOtherColumn = ” + value; SqlCommand cmd = new SqlCommand(); cmd.CommandText […]

ASP.NET (Server\Passive) XSS Encoding Code Review

When code reviewing ASP.NET MVC application to prevent passive XSS issues (for an example of an active XSS issue see ASP.NET (Client\Active) XSS) there are two areas broadly to consider, what is 1) being submitted and stored in your db in the first place i.e. prevent anything nasty from being stored in the first place 2) being […]

Direct Object Reference within an MVC controller

A Direct Object Reference security breach occurs when a user changes an id, usually within a url (or perhaps a hidden field) and suddenly sees information (or performs an action) that he or she is not supposed to be able to do. So a the url had in it “order=1″ and a user changes it to “order=2″ hopefully the website […]

Uploading and Storing Files Safely on a Website

Letting users upload files into a website is an area that requires careful management. Obviously there is a decision to be made around whether to store the file in a database or on the file system. Also the file should be virus scanned. Note that in business systems users can often upload files like pdf that […]