Monday, April 25, 2005

TIPS: Building Secure Web Applications - ASP.NET

Security is the matter of the moment now! Building secure web applications is an integral part of today's web development owing to the alarmingly increasing number of hacking threats.

Some of the key things to keep in mind while building secure web applications are

1. Never expose open SQL Statements in your Code.

A statement "select username from users where username='"+ txtUserName.txt +"' and password ='" + txtPassword + "' "

can be easily hacked by a malicious user to read as follows:-
select username from users where username= ' ' OR ' '='' AND password= ''OR ''=''

The above statement will compare "nothing" to "nothing" which will always return True. This will authenticate the user and fetch the first username in the table.
To avoid such type of hacking always use Stored Procedures which are much secured and also good in Performance.

2. Always switch On Custom Errors in the web.config. They are friendly when switched off, only to us and not friendly when viewed by users. Make sure once you go for deployment, to make it either RemoteOnly or On

An ASP.NET Detailed error page can provide the exact error such as, where the application broke and if due to a SQL End problem, straight away can expose the TableName and thus the DB Structure.

Therefore, always use Custom Errors and take the users to a page which tells "Sorry for the Inconvenience..." once an error occurs in your application.

3. Validate all data received as input from the clients. A search textbox which gets search text from the user can very well prove an excellent source for a hacker to embed his SQL Statements, Scripts.

Therefore, ensure you turn the ValidateRequest="True" at the Page directive or do it at the web.config level. Also, validate if the text entered contains any statement like SELECT, DELETE etc., before processing the information.

4. Never use sa username for your DB Connection String. Its most vulnerable and can be compromised with. Always use a custom Username and Password to access the database from your application.

5. Never store Passwords in your Database as plain text. Hash them or encrypt them to make them secured. Also, sending the password by Email is another source of security threat.

There are many more secure strategies which when followed provide a safe environment for your applications and perhaps can save a Bad Day for you due to hacking.

via Harish

No comments: