I have heard many times that hacking .NET websites is different from others. What's the technique used by hackers to hack .NET websites, and how can we secure .NET websites?
Asked
Active
Viewed 2,222 times
-2
-
Can you provide some links to articles you have read? – CtrlDot Feb 24 '14 at 18:50
-
I forget where I heard? – user3347714 Feb 24 '14 at 18:51
1 Answers
2
I think you were misinformed. .NET websites aren't intrinsically different from any other websites. On modern topologies, the website runtime is sufficiently separated from IIS so that escalation attacks shouldn't be any easier than e.g. a Java site running on Tomcat and Apache; the default templating engine, Razor, and its immediate predecessor (to a lesser extent), both prevent most common HTML injection attacks; sessions are secure by default; the framework provides strong XSS defeneses; and so on. This is almost exactly what I'd be saying for any modern framework in any other language—and as in those, you'd be looking for places where a well-meaning developer bypassed things like the HTML injection protection to get something done, and then to exploit it.
There's lots of unique stuff to .NET, but only the same general sense that I could make the same statement about Java, Python, or Ruby, and none of it is related to how .NET intrinsically.
Benjamin Pollack
- 205
- 1
- 4