IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [asp.net-mvc]

a web application framework implementing the Model View Controller (MVC) pattern.

ASP.NET MVC is a web application framework implementing the Model View Controller (MVC) pattern.

Related reading

69 questions
87
votes
2 answers

Should I use AntiForgeryToken in all forms, even login and registration?

I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc. Some other forms, like…
Artiom Chilaru
  • 973
  • 1
  • 9
  • 7
19
votes
1 answer

Where to store access and refresh tokens on ASP.NET client web app - calling a REST API

I've made a Web API in ASP.NET that acts as the entry point into a SQL Server database for report data. This service has a "token" endpoint that authenticates a user via ASP Identity and return a 20-minute access and 2-week refresh token. This API…
Andy DesRosiers
  • 291
  • 1
  • 2
  • 3
15
votes
2 answers

Does ASP.NET Viewstate implicitly prevent CSRF attacks? What does this mean for MVC?

If an encrypted ASP.NET Viewstate is submitted with every form, and control POST, does that mean that ASP.NET is less vulnerable to CSRF than other solutions with this? What is the extent and limitation of that protection? Since the AntiForgeryToken…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
11
votes
2 answers

What unique risks does MVC model binding bring to a website? What additional vigilance is needed?

From what I understand, "model binding" is where a website based on ASP.NET MVC or Ruby on Rails (there are others...) takes parameters in HTTP's GET statement and passes them as variables to code within the site. Since GitHub (a popular FOSS site…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
10
votes
1 answer

Drawbacks of storing an authentication token on the client side?

I am working on an ASP.NET MVC web application, which fetches its data from an API in the back. So authentication is currently done via ASP.NET Forms Authentication, which means the client sends email and password to the website, the website…
asp_net
  • 233
  • 2
  • 6
10
votes
1 answer

How client certificate works for authentication (in Web API)

I have been working on this scenario for a week. I have implemented the code to authenticate client certificate using this link: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api. A few questions are still there: How can I…
DSA
  • 211
  • 1
  • 2
  • 4
8
votes
3 answers

What authentication system (OpenID, Facebook, etc) permits Javascript-free and/or Cookie-Free operation?

I'm looking for an authentication system that relies on 3rd parties (ADFS, OpenID, SAML) but doesn't rely on cookies or Javascript... or at least can make them optional. My intent is to gracefully degrade and maintain state not in a cookie , but…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
8
votes
2 answers

Javascript and jQuery not secure over https

I am building an ASP.NET MVC 3 app which will run in Azure. Everything was working well, until I switched to https. Now most of my jQuery plugins and some other javascript are not secure. I'm using the Datatables library as well as jsTree,…
James
  • 183
  • 1
  • 1
  • 4
6
votes
1 answer

Passing a C# object to Javascript in ASP.NET MVC

Several answers on StackOverflow suggest that a C# object can be passed to JavaScript in ASP.NET MVC by the following: This is vulnerable to XSS. If any variable…
Sjoerd
  • 28,707
  • 12
  • 74
  • 102
6
votes
2 answers

Problems with avoiding JSON hijacking with MVC3's AntiForgeryToken, or similar token validation

I'm hesitant to implement the proposed anti-JSON hijacking solutions since The recommended solutions to mitigating JSON hijacking involve non-REST-full JSON POSTs to GET data The alternate solution (object wrapping) causes problems with 3rd party…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
3 answers

How to prevent someone guessing the token in a reset password link

Currently I have the following set-up for handling users that forgot their password. A user types in his/her e-mail address and presses the forgot password button. I look up the user belonging to that e-mail address and I store a new 'forgot…
Roy T.
  • 189
  • 1
  • 5
4
votes
1 answer

ASP.NET Machinekey encryption

In Asp.NET you can use the MachineKey.Protect to encrypt data. We are thinking of using this to encrypt some data which will be stored in a hidden fields within a web page, these hidden fields are used when the web page is posted back. I have read…
Jake
  • 181
  • 1
  • 3
4
votes
2 answers

Windows Authentication and Session Ids

After a penetration test made upon an intranet application I'm developing, in ASP.NET MVC, one of the concerns raised was that the application supports concurrent user sessions and it is recommended that the application is reconfigured to support…
Boggin
  • 205
  • 1
  • 3
  • 6
4
votes
3 answers

Can a mismatched server encoding on HTTP POST or GET result in a security issue?

It is possible for a server to parse HTTP POST and GET data with a fixed encoding or one that is dynamic with the client's response. Consider the situation where a client uses UTF7,32 or any other encoding other than UTF8. The server is then hard…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
4
votes
1 answer

What are the implementation details and rationale of ASP.NET MVC3's AntiForgeryToken?

The AntiForgeryToken is used to prevent CSRF attacks, however the links on MSDN don't give me much insight to what exactly the AntiForgeryToken does, or how it works, or why things are done the way they are. From what I gather, it creates a hash…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
1
2 3 4 5