Secure ASP.NET MVC Applications

One of the greatest advantages of ASP.NET MVC is that it provides a "Close to the Metal" programming experience and you have full control over the HTML. It aslo means that you should care about the vulnerabilities regards with your HTML. In webform, server controls would be automatically HTML-encoded their outputs. While developing ASP.NET MVC apllications, you should filter your HTML to avoid XSS attacks. Use the following HTML helper methods to avoid vulnerabilities in your ASP.NET MVC applications.

 Use Html.Encode to defense XSS

Use Html.Encode Helper method if you output user-supplied data.

Your search result for category : <%=Html.Encode(ViewData["Category"]) %>

Lets assume that if the user supplied "<script>alert('XSS')</script>" for input data , the Html.Encode will avoid to execute  as a JavaScript function  and will ensures to display that string as a literal text. When you using built-in Helper methods, It will automatically HTML-encode their outputs. As Rob Conery said, Html.Encode is not a silver bullet to avoid XSS

 Use Html.AntiForgeryToken to defense Cross-Site Request Forgery (CSRF)

The Html.AntiForgeryToken helper method provides the support for detecting and defense CSRF attacks. This helper method available in Microsft ASP.NET MVC Futures assembly (Microsoft.Web.Mvc.dll). The assembly can download from http://www.codeplex.com/aspnet/Release/ProjectReleases.aspx?ReleaseId=18459 .  Check the below example

<% Html.BeginForm("Save", "Category", FormMethod.Post); %>
<%= Html.AntiForgeryToken() %>    

<% Html.EndForm(); %>

The AntiForgeryToken helper would  generate a hiiden field named __MVC_AntiForgeryToken and gave a value that randomly generated for each user request. And at the same it gave cookie with name __MVC_AntiForgeryToken and the value would be constant for user session.

<form method="post" action="/Category/Save">
<input type="hidden" value="34/LV6nApPw0VWjxZkwY1imE8U8c+fAthll+ssF1fhbbK20HYA1EzXB6xaHqCHo4" name="__MVC_AntiForgeryToken"/>
</form>

The authorization filter atrribute [ValidateAntiForgeryToken] will check the all incoming request with form value __MVC_AntiForgeryToken and block the request if there is a invalid token is supplied. A CSRF attacker can't know the randomly generated value of AntiForgeryToken.

The below example used [ValidateAntiForgeryToken] in the controller action to validate the AntiForgeryToken.

 [ValidateAntiForgeryToken]
 public ActionResult Save(FormCollection  form) {
  }

Published Thursday, December 18, 2008 10:02 PM by shiju
Filed under: ,

Comments

# re: Secure ASP.NET MVC Applications

Friday, December 19, 2008 5:59 AM by v.baskar

It is very useful and nice

# re: Secure ASP.NET MVC Applications

Monday, February 2, 2009 4:46 AM by shiju

The Html.AntiForgeryToken  is moved into the MVC core assemby from MVC futures in the ASP.NET MVC RC release.

# re: Secure ASP.NET MVC Applications

Wednesday, May 6, 2009 7:00 AM by almny

good article thanks

# re: Secure ASP.NET MVC Applications

Wednesday, August 12, 2009 3:22 AM by Kevin

Very helpful. Many Thanks

# re: Secure ASP.NET MVC Applications

Wednesday, April 6, 2011 11:38 PM by weblogs.asp.net

Secure asp net mvc applications.. Corking :)

# re: Secure ASP.NET MVC Applications

Sunday, May 1, 2011 9:13 PM by weblogs.asp.net

Secure asp net mvc applications.. Slap-up :)

# re: Secure ASP.NET MVC Applications

Wednesday, June 15, 2011 1:11 AM by weblogs.asp.net

Secure asp net mvc applications.. Bang-up :)

# re: Secure ASP.NET MVC Applications

Monday, September 26, 2011 11:34 AM by Jakayla

Thanks for sharing. What a plesarue to read!

Leave a Comment

(required) 
(required) 
(optional)
(required)