Securing older asp.net websites

Question

User-49466106 posted

Hi;

I have been tasked with coming up with a quick was of retrofitting an asp 2.0 to prevent Sql Injections attacks.

The site just underwent a local pen test which discovered a few "severe" errors related to viewstate, several web

server controls i.e. buttons, check boxes.

I think a large part of the solution is encoding - decoding the values in the controls and I know that I have done this

a code behind event before html.encode , etc. .

Am I correct ?

And my other inclination is to updating the site to vs 2010 / asp framework 4 - 4.5 because of built in security with

the web controls.

Would updating be faster ?

I wish I had time to do it right and update to asp.net MVP but I don't.

Thanks for your opinion !

 

Answer 1

User1779161005 posted

The biggest problems are probably XSS attacks, so you need to HtmlEncode all untrusted values. Unfortunately you will have to check this control-by-control because some controls in ASP.NET automatically HtmlEncode their properties before rendering, but others do not.

Security is something that should be designed into the app and there's no "quick fix".

Answer 2

User-49466106 posted

Thanks Brock.

This application was created in 2007 and has not has security maintenance done in a while.

The security fixes hav eto be done quickly as this site is out of service while this gets "fixed".