I am looking for a set of guidelines or a checklist that you can go over for securing a public ASP.NET MVC Website. I just want to make sure that I am not making any of the obvious and well known issues when deploying a website.
我正在寻找一套指南或清单,您可以通过这些指南或清单来保护公共ASP.NET MVC网站。我只是想确保在部署网站时我没有做出任何明显和众所周知的问题。
Thanks.
谢谢。
4 个解决方案
#1
5
- As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
- 一如既往,请确保您正确编码输出 - 请注意我在这里说编码而不是HtmlEncode。如果您要将内容输出到HTML,那么您想要使用Html.Encode - 但是如果您输出到JavaScript,那么您希望使用JavaScript编码功能。 - 这将帮助您反对跨站点脚本(XSS)
- Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
- 在需要的地方(或者可能只是在任何地方)使用有助于防止CSRF攻击的帮助程序
- Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
- 根据您访问数据存储的方式,如果它是SQL数据库,请记住通过参数化查询,存储过程,LINQ或者您有什么来保护自己免受SQL注入。
- When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through
<script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!) - 当你测试时 - 确保你的测试数据包含狡猾的输出(无法调用Html.Encode的东西很容易通过
- When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
- 当模型绑定对属性使用白名单方法时,用户无法使绑定绑定属性不打算绑定!
#2
1
I kinda do the following;
我有点做以下事情;
- Seperate my concerns. Admin in admin folder etc.
- 分开我的担忧。 admin文件夹等管理员
- [Authorize] on all actions that require you to be logged in.
- [授权]所有需要您登录的操作。
- Html.Encode all data entry fields.
- Html.Encode所有数据输入字段。
- ActionResult Create([Bind(Prefix = "", Exclude = "id")]MyModel newModelObject) <== exclude id's that can be used in an attack
- ActionResult Create([Bind(Prefix =“”,Exclude =“id”)] MyModel newModelObject)<==排除可用于攻击的id
Other than that...
除此之外...
#3
1
The below are general ASP.NET measures
以下是一般的ASP.NET措施
- Set Debug=false in web.config
- 在web.config中设置Debug = false
- Turn on custom error
- 打开自定义错误
- Encrypt your cookies
- 加密您的cookie
- Validate all inputs
- 验证所有输入
- Enable Request Validation
- 启用请求验证
- Encode your output
- 对输出进行编码
#4
1
Don't use the default GET on actions unless absolutely necessary. For example, if you have a DeleteUser action that doesn't have a [AcceptVerbs(HttpVerbs.Post)] on it, it can be called via
除非绝对必要,否则请勿对操作使用默认GET。例如,如果你有一个没有[AcceptVerbs(HttpVerbs.Post)]的DeleteUser动作,它可以通过
<img src="http://yoursite/admin/DeleteUser/1" />
Which will get called by whomever "views" the image.
任何“观看”图像的人都会调用它。
#1
5
- As always, make sure you proper encode output - notice that I am here saying encode and not HtmlEncode. If you're outputting content out to HTML then you want to use Html.Encode - however if you're outputting to JavaScript then you want to use a JavaScript encode function. - This will help you against Cross Site Scripting (XSS)
- 一如既往,请确保您正确编码输出 - 请注意我在这里说编码而不是HtmlEncode。如果您要将内容输出到HTML,那么您想要使用Html.Encode - 但是如果您输出到JavaScript,那么您希望使用JavaScript编码功能。 - 这将帮助您反对跨站点脚本(XSS)
- Use the helpers that help against CSRF attacks where needed (or maybe just everywhere)
- 在需要的地方(或者可能只是在任何地方)使用有助于防止CSRF攻击的帮助程序
- Depending how you access your data storage, if it's a SQL Database, remember to protect yourself against SQL injections, either through parameterized queries, stored procedures, LINQ or what have you.
- 根据您访问数据存储的方式,如果它是SQL数据库,请记住通过参数化查询,存储过程,LINQ或者您有什么来保护自己免受SQL注入。
- When you test - make sure your test data contains dodgy output (stuff where a fail to call Html.Encode would reveal itself easily, perhaps through
<script type="text/javascript">alert("XSS attack!");</script>XSS here!, same goes for stuff that's injected into JavaScript, make mistakes show up!) - 当你测试时 - 确保你的测试数据包含狡猾的输出(无法调用Html.Encode的东西很容易通过
- When model binding use a whitelisting approach for properties so users cannot make the binder bind properties that are not intended to be bound!
- 当模型绑定对属性使用白名单方法时,用户无法使绑定绑定属性不打算绑定!
#2
1
I kinda do the following;
我有点做以下事情;
- Seperate my concerns. Admin in admin folder etc.
- 分开我的担忧。 admin文件夹等管理员
- [Authorize] on all actions that require you to be logged in.
- [授权]所有需要您登录的操作。
- Html.Encode all data entry fields.
- Html.Encode所有数据输入字段。
- ActionResult Create([Bind(Prefix = "", Exclude = "id")]MyModel newModelObject) <== exclude id's that can be used in an attack
- ActionResult Create([Bind(Prefix =“”,Exclude =“id”)] MyModel newModelObject)<==排除可用于攻击的id
Other than that...
除此之外...
#3
1
The below are general ASP.NET measures
以下是一般的ASP.NET措施
- Set Debug=false in web.config
- 在web.config中设置Debug = false
- Turn on custom error
- 打开自定义错误
- Encrypt your cookies
- 加密您的cookie
- Validate all inputs
- 验证所有输入
- Enable Request Validation
- 启用请求验证
- Encode your output
- 对输出进行编码
#4
1
Don't use the default GET on actions unless absolutely necessary. For example, if you have a DeleteUser action that doesn't have a [AcceptVerbs(HttpVerbs.Post)] on it, it can be called via
除非绝对必要,否则请勿对操作使用默认GET。例如,如果你有一个没有[AcceptVerbs(HttpVerbs.Post)]的DeleteUser动作,它可以通过
<img src="http://yoursite/admin/DeleteUser/1" />
Which will get called by whomever "views" the image.
任何“观看”图像的人都会调用它。