Chapter 10. ASP.NET security

 

This chapter covers

  • Analyzing security threats
  • Handling untrusted user input
  • Techniques to prevent SQL injection
  • Cross-site scripting (XSS) in action
  • Path canonicalization issues

In previous chapters, we covered both ASP.NET Web Forms and MVC, and how your application might benefit from new features available in version 4.0. Now it’s time to take a look at security, which is a fundamental aspect of every well-realized application.

If you think that security is a secondary concern for your applications, you’re wrong: an insecure application is an incomplete application. In fact, in a web application, security is more important than anything else because of the global availability of this kind of application and the large attack surface. Security is a pillar, and it has to be considered at every stage of the process, from the architectural stage right up to and including development itself.

Making an application secure is simple. You have to apply different techniques, though none of them are difficult to master. It’s not black magic—it’s common sense.

Security is often addressed in ASP.NET applications from two different angles:

10.1. What is security in ASP.NET applications?

10.2. Filtering and blocking incoming requests

10.3. Protecting applications from SQL injection

10.4. Dealing with XSS (cross-site scripting)

10.5. Controlling path composition: path canonicalization vulnerabilities

10.6. Summary