保护ASP.NET MVC应用程序清单 [英] Securing ASP.NET MVC Application Checklist
本文介绍了保护ASP.NET MVC应用程序清单的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我要寻找一套指导方针或者,你可以去了用于保护公众ASP.NET MVC网站的清单。我只是想确保部署的网站时,我没有做任何的明显的和众所周知的问题。
感谢。
解决方案
- 与往常一样,请确保您正确
EN code输出 - 请注意,我
这里说的连接code和不
HtmlEn code。如果您输出
内容到HTML,那么你要
使用Html.En code - 但是如果你
输出为JavaScript,那么你
要使用JavaScript连接code
功能。 - 这将帮助你对跨站点脚本(XSS) - 使用,有助于对需要的地方(或者只是无处不在)CSRF攻击 佣工
- 您根据如何访问您的数据存储,如果它是一个SQL数据库,记得要保护自己免受SQL注入,无论是通过参数化查询,存储过程,LINQ或者你有什么。
- 当您测试 - 确保您的测试数据中包含狡猾的输出(东西哪里故障致电Html.En code很容易显露出来,也许是通过
<脚本类型=文/ JavaScript的>警报(XSS攻击!);< / SCRIPT>!XSS这里
,也一样的东西,是注入的JavaScript,犯错误显示) - 当模型绑定使用性能的白名单的方法,使用户无法不打算要绑定的粘结剂绑定属性!
I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website.
Thanks.
解决方案
- As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
- Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
- Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
- When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through
<script type="text/javascript">alert("XSS attack!");</script>XSS here!
, same goes for stuff that's injected into JavaScript, make mistakes show up!) - When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
这篇关于保护ASP.NET MVC应用程序清单的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文