Stephen's Wiki

User Tools

Site Tools

Trace: bass_tab_sex_pistols_god_save_the_queen
asp_net_mvc_security_check_list

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
asp_net_mvc_security_check_list [2013/05/13 22:33] – created stephenasp_net_mvc_security_check_list [2017/01/01 20:05] (current) – external edit 127.0.0.1
Line 3: Line 3:
 ===== Threat: Cross-Site Scripting ===== ===== Threat: Cross-Site Scripting =====
  
-  * Use [[https://nuget.org/packages/AntiXSS/|AntiXSS]].+  * Use the [[http://wpl.codeplex.com|AntiXSS]] NuGet package - or not as it appears to be very broken and abandoned at the moment.
   * Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:   * Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
     * Any use of ''@Html.Raw()'' and ensure that there is no possible way a malicious user could inject anything into it.     * Any use of ''@Html.Raw()'' and ensure that there is no possible way a malicious user could inject anything into it.
Line 22: Line 22:
   * Review all models and ensure each has a ''[Bind(Include="Foo, Bar")]'' attribute.   * Review all models and ensure each has a ''[Bind(Include="Foo, Bar")]'' attribute.
  
 +===== Threat: Open Redirection =====
  
 +  * (MVC 1 & 2) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
 +  * (MVC 3+) Either:
 +    * (Preferred) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
 +    * (Acceptable) Review all controller action methods and ensure no ''return Redirect(url);'' method calls exist (they should be replaced by ''return RedirectToLocal(url);'').
 +
 +===== Threat: Stack Trace Leakage =====
 +
 +  * (Preferred) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''machine.config'' of the web server (found at ''%windir%\Microsoft\.NET\Framework\<frameworkversion>\Config''), switch on 'retail':<code xml>
 +<system.web>
 +  <deployment retail="true" />
 +</system.web>
 +</code> This will set ''customErrors'' mode to On and disable trace output and debug. It can not be overridden by the ''Web.config''  
 +  * (Acceptable) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''Web.config'' set ''customErrors'' mode to On:<code xml>
 +<system.web>
 +  <customErrors defaultRedirect="GenericError.html" mode="On">
 +    <error statusCode="500" redirect="InternalError.html"/>
 +  </customErrors>
 +<system.web>
 +</code>
 +
 +
 +===== General =====
 +
 +  * Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked ''public'' - all others must be ''protected'' or ''private''.
asp_net_mvc_security_check_list.1368484386.txt.gz · Last modified: 2017/01/01 19:48 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki