IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [asp.net]

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services.

ASP.NET is a Web application framework developed and marketed by Microsoft to allow programmers to build dynamic Web sites, Web applications and Web services. It was first released in January 2002 with version 1.0 of the .NET Framework, and is the successor to Microsoft's Active Server Pages (ASP) technology. ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language. The ASP.NET SOAP extension framework allows ASP.NET components to process SOAP messages.

225 questions
87
votes
2 answers

Should I use AntiForgeryToken in all forms, even login and registration?

I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc. Some other forms, like…
Artiom Chilaru
  • 973
  • 1
  • 9
  • 7
60
votes
6 answers

Anonymous surveys that aren't so anonymous

In the past I have completed an 'anonymous' survey at work only to find that my employer was able to garner a lot of not-anonymous information from this survey. Location, name of manager, etc. None of this information was provided in the survey. …
iShaymus
  • 673
  • 5
  • 5
25
votes
3 answers

How to ensure that cookies are always sent via SSL when using ASP.NET on IIS 7.5?

Firesheep has brought the issue of insecure cookie exchanges to the forefront. How can you ensure that all cookie exchanges are forced to occur only via an SSL-secured connection to the server when you're communicating to a web user? Our scenario…
cpuguru
  • 383
  • 1
  • 4
  • 8
22
votes
3 answers

What risks do Cookieless sessions have? What are the mitigations?

I'm debating if I should support cookieless sessions in my web app. It would look something like this: http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx Since the URL is never constant, I don't think it's possible for a CSRF…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
19
votes
6 answers

Is there a security risk running web apps in debug=“true”?

This is a copy of the original question on Stack Overflow which didn't get much love and is probably more relevant here: There are plenty of performance reasons why apps shouldn't be run in debug="true" mode (good rundown from Scott Gu), but are…
Troy Hunt
  • 3,930
  • 4
  • 19
  • 21
19
votes
1 answer

Where to store access and refresh tokens on ASP.NET client web app - calling a REST API

I've made a Web API in ASP.NET that acts as the entry point into a SQL Server database for report data. This service has a "token" endpoint that authenticates a user via ASP Identity and return a 20-minute access and 2-week refresh token. This API…
Andy DesRosiers
  • 291
  • 1
  • 2
  • 3
17
votes
5 answers

Is it possible to inject values in a drop down list?

Say a ASP.NET page, or any html page for that matter, has a drop down list with a bunch of prices. On posting the page, the code looks at the selection of the drop down list for a computation. Is it possible for someone to alter the values and…
drobison
  • 273
  • 2
  • 7
15
votes
2 answers

Does ASP.NET Viewstate implicitly prevent CSRF attacks? What does this mean for MVC?

If an encrypted ASP.NET Viewstate is submitted with every form, and control POST, does that mean that ASP.NET is less vulnerable to CSRF than other solutions with this? What is the extent and limitation of that protection? Since the AntiForgeryToken…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
14
votes
3 answers

ASP.NET MVC Security Check List

I am planning to start a new web site on ASP.NET MVC 2 (3). Does anybody have a full (if possible) check list of actions or approaches I should go through to avoid most security issues?
garik
  • 1,222
  • 15
  • 24
12
votes
6 answers

Is this a ViewState attack?

I recently found this request in the event log: Client IP: 193.203.XX.XX Port: 53080 User-Agent: Mozilla/4.0 (compatible; Synapse) ViewState: -1' Referer: Now, the ViewState: -1' part combined with the origin of the IP address (Ukraine, we don't…
jao
  • 223
  • 2
  • 7
11
votes
2 answers

How reliable is ASP.NET's Request Validation feature?

ASP.NET offers an extra layer to protect your application from XSS attacks and injection in general which is called Request validation. On their official topic, they mention that: Even if you're using request validation, you should HTML-encode text…
Simon
  • 3,182
  • 4
  • 26
  • 38
10
votes
1 answer

Is it unwise to use Redis to store PII, private keys, and other secrets?

I'm reviewing a system that is using Redis to store all client secrets, private keys, and other things. The problem is that Redis loads the entire DB into RAM Since SSL's heartbleed, Rowhammer, and other hacks are known to expose memory to…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
10
votes
5 answers

Password reset links: random value or authenticated message?

Which is better? Create tamper-proof encrypted password reset token which contains the user id and the expiration time within the encrypted token. Generate a random token and store it in the database with the user id and expiration date. Look up…
John
  • 2,242
  • 2
  • 28
  • 45
10
votes
1 answer

How client certificate works for authentication (in Web API)

I have been working on this scenario for a week. I have implemented the code to authenticate client certificate using this link: http://www.asp.net/web-api/overview/security/working-with-ssl-in-web-api. A few questions are still there: How can I…
DSA
  • 211
  • 1
  • 2
  • 4
9
votes
1 answer

CSRF in ASP.NET

There's this "change password" ASP.NET form that has both event validation and viewstate enabled. There are no specific anti-csrf tokens. From I understanding, in order to execute a successful CSRF attack, an attacker will have to be able to get…
user63518
  • 91
  • 2
1
2 3
14 15