From JD:
Input is one of the most common attack vectors and input validation is a tough topic. There's lots of mistakes you can make. For example, don't rely on ASP.NET's request validation (you should use it, but you should not rely on it as your sole means of defense -- only YOU can define what good input for your application is). Also, don't assume you can figure out what "bad" input looks like and use a "deny" approach … opt for an "allow" approach and define good input up front. Assuming you get the right approach, using regular expressions effectively is tricky for the typical practitioner.
What we tried to do here is lay out an effective set of modules (think of them as reusable content "components") to help tackle the finer points of injection attacks and help practitioners implement effective input validation in their ASP.NET applications.
- How To-Protect from Injection Attacks in ASPNET
:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000003.asp
How To-Use Regular Expressions to Constrain Input in ASP.NET: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000001.asp
How To-Protect from SQL Injection in ASP.NET: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000002.asp
How To-Prevent Cross-Site Scripting in ASP.NET: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/paght000004.asp
Read them. Remember them. Be them. (or be h4xx0red)
Print | posted on Tuesday, June 28, 2005 7:46 AM