vrijdag, februari 09, 2007

 

ASP.NET: Basic security

The internet is a fine place. But of course there is also 'the dark side of the internet'. I am not a security specialist, and I realise my site might be vulnerable to attacks or exploits. But that doesn't mean I can't get the basics right and go for a reasonable level of security. I want to mention some examples used in the footer of each page during the beta. There is a box to add additional comments to each page. The box is accessible both to anonymous users and registered users. I'm taking this approach because I want the site to be as useful as possible without having to log in or register. God knows I hate having to register every time myself. Personally I rarely contribute to sites if I first need to register and/or login. But then I leave the site open to all sorts of spam of course...

There are two things I want to protect: 1) avoid robots or spambots to enter text and 2) avoid people entering harmful text. There are ways to insert javascript, HTML or SQL code in a text box that can be used to get control over the application, or corrupt it.

Security should be enabled both on the client side and on the server side. Client side stuff is mostly to make it more comfortable for the user and prohibit entering faulty information. But it can always be circumvented by someone with the right skills, so you equally need some checks on the server side.

Client side:
The text box uses the FilteredTextBoxExtender from the Ajax Control Toolkit. Only 'safe' characters can be entered. For example the < and &gt or % or @ characters are not allowed and cannot be typed in the box.
Secondly, your text is only submitted if the CAPTCHA control code is the right one. I've blogged about the CAPTCHA control before. The purpose is to ensure only humans can enter text, not machines or bots. I've adapted the rendering of the CAPTCHA control from the codeproject.com site so it also displays in a row.

Server side:
On the server side I'm using the free Anti-Cross Site Scripting Library 1.5 to encode the text so potentially harmful characters are 'neutralised'. You can download the library here. Then you need to add a reference to your project (right-click in solution explorer and select Add Reference) by browsing to the AntiXssLibrary.dll file. To use it to encode potentially harmful input before rendering it to the screen use AntiXss.HtmlEncode or one of the other encoders. There is a good tutorial describing the risks, analysis and usage of the tool on the MSDN site.

Labels:


# posted by Mr. Learning @ 5:17 PM  
Comments: Een reactie plaatsen

Links to this post:

Een koppeling maken



<< Home