Book III 1 in Visual C#

Printer ANSI/AIM Code 39 in Visual C# Book III 1

Normally, a user enters the appropriate information into the text box But a cracker attempting a SQL Injection attack would enter the following string into textBox1:

FOOBAR ;DELETE FROM Items;--

The SQL code that would be run by your code would look like this:

SELECT * FROM Items WHERE ProductID = FOOBAR ;DELETE FROM Items;--

The SQL Server executes some code you didn t expect; in this case, the code deleted everything in the Items table

The easiest way to prevent SQL Injection is to never use string concatenation to generate SQL Use a stored procedure and SQL parameters You can read more about that in 2 of this minibook

A script exploit is a security flaw that takes advantage of the JavaScript engine in a user s Web browser Script exploits take advantage of one of the more common features of public Web Forms applications enabling interaction among users For instance, a Web Forms application may enable a user to post a comment that other users of the site can view, or it may allow a user to fill out an online profile

If a malicious user were to put some script code in his or her profile or comment, that hacker could take over the browser of the next user who comes to the site Several outcomes are possible, and none of them are good For instance, the cookies collection is available to JavaScript when a user comes to your site A malicious user would put some script code in his or her profile that could copy the cookie for your site to a remote server This could give the malicious user access to the current user s session because the session identifier is stored as a cookie The malicious user would then be able to spoof the current user s identity

Fortunately, ASPNET prevents users from typing most script code into a form field and posting it to the server Try it with a basic Web Forms project by following these steps (you see the error shown in Figure 1-3):

1 Create a new Web Forms project 2 Add a text box and a button to the default page 3 Run the project 4 Type <script>msgbox()</script> into the text box 5 Click the button

Additionally, you can use the ServerHTMLEncode method to encode anything that the Web Forms application sends to the screen this will make script code appear in real text rather than in HTML

Aside from make sure that your Web Forms application will prevent SQL Injection attacks and script exploits, you should keep in mind some good practices for securing your Web applications The following list runs down some of the most important practices for securing your Web applications: Keep your IIS box up to date Back up everything Avoid using a Querystring variable Don t leave HTML comments in place Any user can view the HTML code and see your comments by choosing View Source in a browser Don t depend on client-side validation for security it can be faked Use strong passwords Don t assume what the user sent you came from your form and is safe It is easy to fake a form post Make sure that error messages don t give the user any information about your application E-mail yourself the error messages instead of displaying them to the user Writing Secure Code

Use Secure Sockets Layer Don t store anything useful in a cookie Close all unused ports on your Web server Turn off SMTP on IIS unless you need it Run a virus checker if you allow uploads Don t run your application as Administrator Use temporary cookies, if possible, by setting the expiration date to a past date The cookie will stay alive only for the length of the session Put a size limit on file uploads You can do it in the WebConfig file: