在Web应用程序中应该有哪些安全方法 [英] What ways of security should be handeld in web applications

问题描述

大家好..

我想知道在asp.net网络应用程序中应该处理哪些安全策略。



我将在asp.net中开发大项目我通过会话处理会话/ sqlinjection / UrlRewriting / anounmous访问用户/



请告诉我任何高级安全技巧。 ..以及在编码中处理它的方式....



请......

也告诉我

处理会话变量的正确方法......

请

Hello All of u..
I wants to know what security tactics should be handled in asp.net web application.

I am going to develop big project in asp.net i handled session / sqlinjection / UrlRewriting / anounmous access of user by session /

Please tell me any advanced security tricks... and way of handled it in coding....

Please ......
also tell me
correct ways of handled session variables......
Please

推荐答案

看看这些：

MSDN：安全实践：ASP.NET安全实践概览 [ ^ ]

ASP.NET：网络表单教程安全性 [ ^ ]

ASP.NET高性能应用程序最佳实践 [ ^ ]

Have a look at these:
MSDN: Security Practices: ASP.NET Security Practices at a Glance[^]
ASP.NET: web-forms tutorials security[^]
ASP.NET Best Practices for High Performance Applications[^]

有一些身份验证类型：< br $> b $ b

http： //msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx



我强烈建议你看了上面的文章。



上面的链接列出了以下内容：



ASP .NET与Microsoft Internet信息服务（IIS）一起使用以下任何身份验证方法验证用户凭据（如名称和密码）：



Windows：Basic ，消化或在集成Windows身份验证（NTLM或Kerberos）。

Microsoft Passport身份验证

表单身份验证

客户端证书身份验证



Windows身份验证用于在用户目录中查找用户。

http://msdn.microsoft.com/en-us/library/ff647405.aspx [ ^ ]



Microsoft Passport身份验证就是这样，直到最近使用的是你的windows实时登录。

http：// msdn.microsoft.com/en-us/library/b0ctef6w(v=vs.85).aspx [ ^ ]



表单身份验证可能是最常用的商业。它使用cookie /状态管理来了解您何时进行了身份验证。通常，您提供登录屏幕，执行身份验证检查，然后编写表单身份验证cookie。这与您的网络配置文件一起用于编组对您网站其余部分的访问。

http://msdn.microsoft.com/en-us/library/ff647070.aspx [ ^ ]



客户证书。我从未使用过这种方法。但正如它所说，它使用证书来识别用户。

http://support.microsoft.com / kb / 315588 [ ^ ]



您还可以使用自定义安全机制。您可以在用户进行身份验证时为会话或数据库写入值，然后在每次加载页面时对其进行检查。您可以将支票包含在基页/母版页中。



SQL注入



您应该确保避免为SQL注入留下漏洞。以下内容应说明如何实现这一目标：



http://msdn.microsoft.com/en-us/library/ff648339.aspx [ ^ ]



其他注射



简单来说，如果您担心网络安全，脚本注入也需要注意。否则称为注入攻击。

http://msdn.microsoft.com/ en-us / library / ff647397.aspx [ ^ ]



更广泛的网站安全实践



有许多网站/标准/流程/文档涵盖了提供安全网站的要求。想到的两个是OWASP和PCIDSS。



OWASP（开放式Web应用程序安全项目）

https://www.owasp.org/index.php/Main_Page [ ^ ]



PCIDSS（支付卡行业数据安全标准）

[ ^ ]



您还可以订阅道德黑客服务，该服务将尝试找到您的漏洞网站并向您报告。一种提供定期和按需测试的服务是McAfee Secure。

http：//www.mcafeesecure。 com / us / [ ^ ]

There are a few authentication types:

http://msdn.microsoft.com/en-us/library/330a99hc(v=vs.71).aspx

I strongly suggest you read the above article.

The above link lists the following:

ASP.NET, in conjunction with Microsoft Internet Information Services (IIS), can authenticate user credentials such as names and passwords using any of the following authentication methods:

Windows: Basic, digest, or Integrated Windows Authentication (NTLM or Kerberos).
Microsoft Passport authentication
Forms authentication
Client Certificate authentication

Windows authentication is used to look up your user against a user directory.
http://msdn.microsoft.com/en-us/library/ff647405.aspx[^]

Microsoft Passport Authentication is just that, using what until recently was your windows live login.
http://msdn.microsoft.com/en-us/library/b0ctef6w(v=vs.85).aspx[^]

Forms authentication is probably the most used commercially. It uses cookie/state management to know when you''ve authenticated. Normally you provide the login screen, you perform the authentication check and then write the forms authentication cookie. This along with your web config file is used to marshal access to the rest of your site.
http://msdn.microsoft.com/en-us/library/ff647070.aspx[^]

Client Certificate. I''ve never used this method. But as it says, it uses certificates to identify the user.
http://support.microsoft.com/kb/315588[^]

You can also use a custom security mechanism. You can write a value to the session or a database when the user authenticates and then check this on each page load. You can include the check in a base page/master page.

SQL Injection

You should make sure you avoid leaving holes for SQL injection. The following should explain how to achieve this:

http://msdn.microsoft.com/en-us/library/ff648339.aspx[^]

Other Injections

On a simliar note, if you''re worried about web security, script injection is also something to be aware of. Otherwise known as injection attacks.
http://msdn.microsoft.com/en-us/library/ff647397.aspx[^]

Wider Website Security Practices

There are many websites/standards/processes/documents which cover the requirements for delivering secure websites. Two which come to mind are OWASP and PCIDSS.

OWASP (Open Web Application Security Project)
https://www.owasp.org/index.php/Main_Page[^]

PCIDSS (Payment Card Industry Data Security Standard)
[^]

You can also subscribe to an ethical hacking service which will try and find the holes in your website and report them to you. One such service which provides both scheduled and on demand testing is McAfee Secure.
http://www.mcafeesecure.com/us/[^]

这篇关于在Web应用程序中应该有哪些安全方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！