ASP.NET MVC2 Securing our application

<!-- /* Font Definitions */ @font-face {font-family:宋体; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-alt:SimSun; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4; mso-font-charset:0; mso-generic-font-family:roman; mso-font-pitch:variable; mso-font-signature:-1610611985 1107304683 0 0 415 0;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4; mso-font-charset:0; mso-generic-font-family:swiss; mso-font-pitch:variable; mso-font-signature:-520092929 1073786111 9 0 415 0;} @font-face {font-family:"Microsoft YaHei"; panose-1:2 11 5 3 2 2 4 2 2 4; mso-font-alt:微软雅黑; mso-font-charset:0; mso-generic-font-family:auto; mso-font-format:other; mso-font-pitch:auto; mso-font-signature:3 0 0 0 1 0;} @font-face {font-family:"/@宋体"; panose-1:2 1 6 0 3 1 1 1 1 1; mso-font-charset:134; mso-generic-font-family:auto; mso-font-pitch:variable; mso-font-signature:3 680460288 22 0 262145 0;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {mso-style-unhide:no; mso-style-qformat:yes; mso-style-parent:""; margin:0cm; margin-bottom:.0001pt; text-align:justify; text-justify:inter-ideograph; mso-pagination:none; font-size:10.5pt; mso-bidi-font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:宋体; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi; mso-font-kerning:1.0pt;} a:link, span.MsoHyperlink {mso-style-priority:99; color:blue; mso-themecolor:hyperlink; text-decoration:underline; text-underline:single;} a:visited, span.MsoHyperlinkFollowed {mso-style-noshow:yes; mso-style-priority:99; color:purple; mso-themecolor:followedhyperlink; text-decoration:underline; text-underline:single;} .MsoChpDefault {mso-style-type:export-only; mso-default-props:yes; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} /* Page Definitions */ @page {mso-page-border-surround-header:no; mso-page-border-surround-footer:no;} @page WordSection1 {size:612.0pt 792.0pt; margin:72.0pt 90.0pt 72.0pt 90.0pt; mso-header-margin:36.0pt; mso-footer-margin:36.0pt; mso-paper-source:0;} div.WordSection1 {page:WordSection1;} -->

Spam

Threat:CROSS-SITE SCRIPTING(XSS)

Preventing XSS

         HTML Encode All Content  P377  主要是使用 encode 隐藏数据源

 

         < iFrame frameborder ="0" marginheight ="0" marginwidth ="0" style =" width :100%; height :600px;" src =" <% = Html.Encode(ViewData["hotItemId"])%> "></ iFrame >

         这里的 encode 太重要了。因为这个 ViewData[“hotitemId”] 的数据可以通过在浏览器输入地址来改写。比如 http://localhost:18341/HotVoyage/Index/abc ，我们可以把它改写成相应 js 代码，最后在 html 里就会有可怕的反应。

 

Threat:CROSS-SITE REQUEST FORGERY

         Token Verification

         Writing a custom action filter  P385 

class IsPostedFromThisSiteAttribute : AuthorizeAttribute {}

Threat:COOKIE STEALING

         Preventing Cookie Theft with HttpOnly P387

                   <httpCookies httpOnlyCookies=”true”/>

                   http://www.owasp.org/index.php/HttpOnly

                   比较复杂 , 需要涉及很多其他面的范围

Threat:OVER-POSTING

         [Bind(Include=”Name, Comment”)]   P388

KEEPING YOUR PANTS UP: PROPER ERROR REPORTING AND THE STACK TRACE

         <customErrors mode=”On /Off/Remote” … />  p389

SECURING YOUR CONTROLLERS, NOT YOUR ROUTES

         [Authorize(Users=”NinjaBob, Superman”)]

         Public class TopSecretController: Controller

Using [NonAction] to Protect Public Methods