Stephen's Wiki

User Tools

Site Tools

Trace:
asp_net_mvc_security_check_list

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
asp_net_mvc_security_check_list [2013/05/14 00:08] – [Threat: Open Redirection] stephenasp_net_mvc_security_check_list [2017/01/01 20:05] (current) – external edit 127.0.0.1
Line 3: Line 3:
 ===== Threat: Cross-Site Scripting ===== ===== Threat: Cross-Site Scripting =====
  
-  * Use [[https://nuget.org/packages/AntiXSS/|AntiXSS]].+  * Use the [[http://wpl.codeplex.com|AntiXSS]] NuGet package - or not as it appears to be very broken and abandoned at the moment.
   * Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:   * Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
     * Any use of ''@Html.Raw()'' and ensure that there is no possible way a malicious user could inject anything into it.     * Any use of ''@Html.Raw()'' and ensure that there is no possible way a malicious user could inject anything into it.
Line 28: Line 28:
     * (Preferred) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.     * (Preferred) Review all controller action methods and ensure all ''return Redirect(url);'' method calls are preceded by a ''IsLocalUrl(url)'' check and failures are logged.
     * (Acceptable) Review all controller action methods and ensure no ''return Redirect(url);'' method calls exist (they should be replaced by ''return RedirectToLocal(url);'').     * (Acceptable) Review all controller action methods and ensure no ''return Redirect(url);'' method calls exist (they should be replaced by ''return RedirectToLocal(url);'').
 +
 +===== Threat: Stack Trace Leakage =====
 +
 +  * (Preferred) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''machine.config'' of the web server (found at ''%windir%\Microsoft\.NET\Framework\<frameworkversion>\Config''), switch on 'retail':<code xml>
 +<system.web>
 +  <deployment retail="true" />
 +</system.web>
 +</code> This will set ''customErrors'' mode to On and disable trace output and debug. It can not be overridden by the ''Web.config''  
 +  * (Acceptable) Use [[http://code.google.com/p/elmah|ELMAH]] and in the ''Web.config'' set ''customErrors'' mode to On:<code xml>
 +<system.web>
 +  <customErrors defaultRedirect="GenericError.html" mode="On">
 +    <error statusCode="500" redirect="InternalError.html"/>
 +  </customErrors>
 +<system.web>
 +</code>
 +
  
 ===== General ===== ===== General =====
  
   * Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked ''public'' - all others must be ''protected'' or ''private''.   * Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked ''public'' - all others must be ''protected'' or ''private''.
asp_net_mvc_security_check_list.1368490126.txt.gz · Last modified: 2017/01/01 19:48 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki