Beef Up ASP.NET 2.0's Built-In Security

Update on September 14, 2006: The part about vulnerabilities in DataBinder.Eval() turns out to be a documentation bug and the statement has been removed.


I'm browsing through Microsoft's best practices guide for security in ASP.NET 2.0 and have encountered some eyeopeners.

The authors warn against relying on some of the built-in features of ASP.NET. For example, the ASP.NET 2.0 Internet Security Reference Implementation uses custom functions to encode input because ASP.NET’s Server.HtmlEncode "only encodes <>"& characters. This is not sufficient to protect against all possible attacks.  The authors also reference the Microsoft Anti-Cross Site Scripting Library V1.0 to fight against unproven (aka evil) input.

Likewise, the app shuns the use of DataBinder.Eval() when displaying content from the database. "While Eval is sometimes safe to use on purely static data, it is best to avoid it completely as it has the potential to allow an attacker to execute arbitrary code on the host server." Yikes!

Anyway, I'm finding the reference application and its documentation quite instructive, especially the WebUtility class. Apart from that you get the whole PetShop 4.0 application including the shopping cart code.

No Comments