I printed out this fantastic article on MSDN, called Security Practices: ASP.NET 2.0 Security Practices at a Glance. If you do nothing else this weekend, I recommend you check out the article here and see where you can improve the security of your applications.
Here are just a few of the items worth noting. I hope to go into them all in more detail in future posts:
Use PrincipalPermission to Demand Role-Base Security
[PrincipalPermission(SecurityAction.Demand, Role="Admin")]
public class AdminOnlyPage : BasePage
{
// ...
}
Securing a Particular Directory in ASP.NET for Specific Roles
<location path="Secure" >
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
Prevent SQL Injection by Using SqlParameters
using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myCommand.Fill(userDataset);
}
Turn On Custom Errors To Keep Errors Private
<customErrors mode="On" defaultRedirect="YourErrorPage.htm" />
Create a Global Error Handler for Your ASP.NET Applications
<%@ Application Language="C#" %>
<%@ Import Namespace="System.Diagnostics" %>
<script language="C#" runat="server">
void Application_Error(object sender, EventArgs e)
{
//get reference to the source of the exception chain
Exception ex = Server.GetLastError().GetBaseException();
//log the details of the exception and page state to the
//Event Log
EventLog.WriteEntry("My Web Application",
"MESSAGE: " + ex.Message +
"\nSOURCE: " + ex.Source +
"\nFORM: " + Request.Form.ToString() +
"\nQUERYSTRING: " + Request.QueryString.ToString() +
"\nTARGETSITE: " + ex.TargetSite +
"\nSTACKTRACE: " + ex.StackTrace,
EventLogEntryType.Error);
//Optional email or other notification here...
}
</script>
Prevent Cross-Site Scripting Using HtmlEncode and UrlEncode
Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
Response.Write(HttpUtility.UrlEncode(urlString));
// Encode the string input from the HTML input text field
StringBuilder sb = new StringBuilder(HttpUtility.HtmlEncode(htmlInputTxt.Text));
// Selectively allow <b> and <i>
sb.Replace("<b>", "<b>");
sb.Replace("</b>", "</b>");
sb.Replace("<i>", "<i>");
sb.Replace("</i>", "</i>");
The article contains a lot of other great words of wisdom when securing your applications. I recommend reading the article this weekend and implementing those that make sense in your applications.