保护ASP.NET MVC应用程序清单 [英] Securing ASP.NET MVC Application Checklist

问题描述

我要寻找一套指导方针或者，你可以去了用于保护公众ASP.NET MVC网站的清单。我只是想确保部署的网站时，我没有做任何的明显的和众所周知的问题。

感谢。

解决方案

1. 与往常一样，请确保您正确
   EN code输出 - 请注意，我
   这里说的连接code和不
   HtmlEn code。如果您输出
   内容到HTML，那么你要
   使用Html.En code - 但是如果你
   输出为JavaScript，那么你
   要使用JavaScript连接code
   功能。 - 这将帮助你对跨站点脚本（XSS）


2. 使用，有助于对需要的地方（或者只是无处不在）CSRF攻击
佣工

3. 您根据如何访问您的数据存储，如果它是一个SQL数据库，记得要保护自己免受SQL注入，无论是通过参数化查询，存储过程，LINQ或者你有什么。


4. 当您测试 - 确保您的测试数据中包含狡猾的输出（东西哪里故障致电Html.En code很容易显露出来，也许是通过＆LT;脚本类型=文/ JavaScript的＆GT;警报（XSS攻击！）;＆LT; / SCRIPT＆GT;！XSS这里，也一样的东西，是注入的JavaScript，犯错误显示）


5. 当模型绑定使用性能的白名单的方法，使用户无法不打算要绑定的粘结剂绑定属性！

I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website.

Thanks.

解决方案

1. As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
2. Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
3. Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
4. When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through <script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!)
5. When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!

这篇关于保护ASP.NET MVC应用程序清单的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！