These are few tips how to secure your .net app on code level

Asp.net Version Disclosure

<system.web>
<httpRuntime  enableVersionHeader="false" />
</system.web>

Set Cookie to HttpOnly

<system.web>
<httpCookies httpOnlyCookies="true"/>
</system.web>

Set Custom Error

<system.web>
<customErrors mode="On" defaultRedirect="~/Controller/ErrorPage"></customErrors>
</system.web>

Custom Error Disabled

<system.web>
<customErrors mode="RemoteOnly">
</system.web>

Leaving Tracing Enabled in Web-Based Applications

<system.web> 
<trace enabled="false" localOnly="true">
</system.web>

Disabled Debugging

<system.web> 
<compilation debug="false">
</system.web>

Disabled Cookieless Session States

<system.web> 
<sessionState cookieless="UseCookies"> 
</system.web>

Input Validation :  A set of controls that verify the properties of all input data matches what is expected by the application including types, lengths, ranges, acceptable character sets and does not include known hazardous characters.

If any potentially hazardous characters must be allowed as input, be sure that you implement additional controls like output encoding, secure task specific APIs and accounting for the utilization of that data throughout the application . Examples of common hazardous characters include: < > ” ‘ % ( ) & + \ \’ \”

 

Output Encoding

  1. Encode all characters unless they are known to be safe for the intended interpreter
  2. Contextually sanitize all output of un-trusted data to queries for SQL, XML, and LDAP
  3. Sanitize all output of un-trusted data to operating system commands

 

Error Handling and Logging

  1. Do not disclose sensitive information in error responses, including system details, session identifiers or account information
  2. Use error handlers that do not display debugging or stack trace information
  3. Implement generic error messages and use custom error pages

 

Database Security

  1. Use strongly typed parameterized queries
  2. Utilize input validation and output encoding and be sure to address meta characters. If these fail, do not run the database command
  3. Ensure that variables are strongly typed

 

HTML Entity Encode: The process of replacing certain ASCII characters with their HTML entity equivalents. For example, encoding would replace the less than character “<” with the HTML equivalent “<“. HTML entities are ‘inert’ in most interpreters, especially browsers, which can mitigate certain client side attacks.

 

 

Prevent ClickJacking

 

More Info:

https://www.owasp.org/index.php/OWASP_Secure_Coding_Practices_-_Quick_Reference_Guide

https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet

Security Programming in .Net
Tagged on:             

Leave a Reply

Your email address will not be published. Required fields are marked *