AppSec Blog: Category - .Net

AppSec Blog:

ASP.NET MVC: Data Validation Techniques

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the data validation features built into the ASP.NET MVC framework.

Data validation is one of the most important aspects of web app development. Investing effort into data validation makes your applications more robust and significantly reduces potential loss of data integrity.

Out of the box, the ASP.NET MVC framework provides full support of special components and mechanisms on both the client side and the server side.

Client-Side Validation
Enabled Unobtrusive JavaScript validation allows ASP.NET MVC HTML helper extensions to generate special markup to perform validation on the client side, before sending data to the server. The feature is controlled by the "UnobtrusiveJavaScriptEnabled" Boolean setting in the section.

Let's have a look at the Register page from the SecureWebApp

...

ASP.NET MVC: Using Identity for Authentication and Authorization

Guest Editor: Today's post is from Taras Kholopkin. Taras is a Solutions Architect at SoftServe, Inc. In this post, Taras will take a look at the authentication and authorization security features built into the ASP.NET MVC framework.

Implementing authentication and authorization mechanisms into a web application with a powerful ASP.NET Identity system has become a trivial task. The ASP.NET system was originally created to satisfy membership requirements, covering Forms Authentication with a SQL Server database for user names, passwords and profile data. It now includes a more substantial range of web application data storage options.

One of the advantages of the ASP.NET system is its two-folded usage: it may be either added to an existing project or configured during the creation of an application. ASP.NET Identity libraries are available

...

WhatWorks in AppSec: ASP.NET Defend Against Cross-Site Scripting Using The HTML Encode Shortcuts

Eric Johnson is an instructor with the SANS Institute for DEV544: Secure Coding in .NET: Developing Defensible Applications, and an information security engineer at a financial institution, where he is responsible for secure code review assessments of Internet facing web applications. Eric has spent nine years working in software development with over five years focusing on ASP .NET web application security. His experience includes software development, secure code review, risk assessment, static source code analysis, and security research. Eric completed a bachelor of science in computer engineering and a master of science in information assurance at Iowa State University. He currently holds the CISSP and GSSP-.NET certifications and is located in Las Vegas, NV.


The .NET 4.0 & 4.5 frameworks introduced new syntax shortcuts to HTML encode dynamic ...

Ask the Expert - James Jardine

James Jardine is a senior security consultant at Secure Ideas and the founder of Jardine Software. James has spent over twelve years working in software development with over seven years focusing on application security. His experience includes penetration testing, secure development lifecycle creation, vulnerability management, code review, and training. He has worked with mobile, web, and Windows development with the Microsoft .NET framework. James is a mentor for the Air Force Association's Cyber Patriot competition. He currently holds the GSSP-NET, CSSLP, MCAD, and MCSD certifications and is located in Jacksonville, Florida.


This is the second in a series of interviews with appsec experts about threat modeling.


1. Threat Modeling is supposed to be one of the most effective and fundamental practices in secure software development. But a lot of teams that are trying to do secure development ...

Forms Authentication: Remember Me? Its Hard Not Too!

ASP.Net Forms Authentication is a great way to authenticate users for the application. Microsoft has done a really good job at implementing this to make it simple and straightforward for developers. Forms Authentication allows for a user to enter their user name / password combination for an application and have that validated against a backend data source. There are some built in providers to help make this a pretty seamless and painless process for developers. The basic workflow for forms authentication is:


  1. User attempts to access a resource (details.aspx).

  2. Server requires the user to be authenticated and redirects the user to the login page (login.aspx).

  3. User enters user name and password and submits these to the server.

  4. Server Validates the credentials and if valid, creates an authentication cookie (most common) and sends it back to the user.

  5. With valid cookie, user no longer needs to enter a user ...