locked
Securing older asp.net websites RRS feed

  • Question

  • User-49466106 posted

    Hi;

    I have been tasked with coming up with a quick was of retrofitting an asp 2.0 to prevent Sql Injections attacks.

    The site just underwent a local pen test which discovered a few "severe" errors related to viewstate, several web

    server controls i.e. buttons, check boxes.

    I think a large part of the solution is encoding - decoding the values in the controls and I know that I have done this

    a code behind event before html.encode , etc. .

    Am I correct ?

    And my other inclination is to updating the site to vs 2010 / asp framework 4 - 4.5 because of built in security with

    the web controls.

    Would updating be faster ?

    I wish I had time to do it right and update to asp.net MVP but I don't.

    Thanks for your opinion !

     

    Thursday, November 8, 2012 1:36 PM

Answers

  • User1779161005 posted

    The biggest problems are probably XSS attacks, so you need to HtmlEncode all untrusted values. Unfortunately you will have to check this control-by-control because some controls in ASP.NET automatically HtmlEncode their properties before rendering, but others do not.

    Security is something that should be designed into the app and there's no "quick fix".

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 8, 2012 1:58 PM

All replies

  • User1779161005 posted

    The biggest problems are probably XSS attacks, so you need to HtmlEncode all untrusted values. Unfortunately you will have to check this control-by-control because some controls in ASP.NET automatically HtmlEncode their properties before rendering, but others do not.

    Security is something that should be designed into the app and there's no "quick fix".

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Thursday, November 8, 2012 1:58 PM
  • User-49466106 posted

    Thanks Brock.

    This application was created in 2007 and has not has security maintenance done in a while.

    The security fixes hav eto be done quickly as this site is out of service while this gets "fixed".

     

    Thursday, November 8, 2012 2:27 PM