asp_net_mvc_security_check_list
This is an old revision of the document!
Table of Contents
ASP.NET MVC Security Check List
Threat: Cross-Site Scripting
- Use AntiXSS.
- Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
- Any use of
@Html.Raw()and ensure that there is no possible way a malicious user could inject anything into it. - Any use of
@…in JavaScript code. This should be encoded with the@Encoder.JavaScriptEncode()method.
Threat: Cross-Site Request Forgery
- Review all views ensure that all
<form>elements contain a@Html.AntiForgeryToken(). - Review all POST controller actions and ensure that have the
[ValidateAntiForgeryToken](a standard filter attribute) and[IsPostedFromThisSite](a custom filter attribute). - Review all GET controller actions and ensure that they are idempotent (i.e. have no side-effects).
Threat: Cookie Theft
- Ensure that the
Web.configfile contains<httpCookies domain=“” httpOnlyCookies=“true” requireSSL=“false” />(prevents JavaScript from accessing cookies).
Threat: Over-Posting
- Review all models and ensure each has a
[Bind(Include=“Foo, Bar”)]attribute.
Threat: Open Redirection
- (MVC 1 & 2) Review all controller action methods and ensure all
return Redirect(url);method calls are preceded by aIsLocalUrl(url)check. - (MVC 3+) Review all controller action methods and ensure no
return Redirect(url);method calls exist (they should be replaced byreturn RedirectToLocal(url);).
asp_net_mvc_security_check_list.1368489501.txt.gz · Last modified: 2017/01/01 19:48 (external edit)