Below are major threat categories. We'll study here different tools and techniques to prevent such attacks.
- Cross Site Scripting(XSS) & HTML Injection
- Cross site request Forgeries(CSRF)
- Session Hijacking
- SQL Injection
- HTML Injection
- HTTP header injection
- Mail-header injection
- OS command injection
1). Cross Site Scripting(XSS):
Cross-site scripting (XSS) vulnerabilities occur when:
- Untrusted data enters a web application, typically from a web request.
- The web application dynamically generates a web page that contains this untrusted data.
- A victim visits the generated web page through a web browser, which contains malicious script that was injected using the untrusted data.
- Three Types of XSS:
- Type 1: Reflected XSS (or Non-Persistent) - The server reads data directly from the HTTP request and reflects it back in the HTTP response.
- Type 2: Stored XSS (or Persistent) - The application stores dangerous data in a database, message forum, visitor log, or other trusted data store. At a later time, the dangerous data is subsequently read back into the application and included in dynamic content.
- Type 0: DOM-Based XSS - In DOM-based XSS, the client performs the injection of XSS into the page; in the other types, the server performs the injection.
Security Requirement & Solution:
- No HTML tag should be allowed as input data
- ASP.NET Razor Views are HTML Encoded by default (also ASP.NET MVC 4)
- For aggressive stripping use Microsoft AntiXSS library
- Use HTML.Encode <%: %> provided by ASP.Net MVC for output
- Prevent HTML tags in inputs by default, globally. (To turn it off - ValidateInput=false / AllowHTML) (ASP.NET MVC 4)
- Use Microsoft Anti-Cross Site Scripting Library (AntiXSS) and set it as default HTML encoder.
- Use AntiXSS Sanitizer object to call GetSafeHtml or GetSafeHtmlFragment before saving HTML data to the database
- Use inbuilt HTML5 and CSS3 validation provided by Visual Studio.
- Modify web.config code on IIS with following to specify charset and content-type as (name="Content-Type" value="text/html; charset='UTF-8'" )
- Set HTTPOnly attribute as following:
- IIS 7 by default PUT, DELETE are not enabled.
- Otherwise Deny TRACE by configuring IIS request filtering -> HTTP Verb -> Deny TRACE"
2). Cross site request Forgeries(CSRF):
Hope this helps.