Would be old one but just a refreshing
Contents
What ASP.NET Developers Should Always Do
Where the Threats Come From
ViewStateUserKey
Cookies and Authentication
Session Hijacking
EnableViewStateMac
ValidateRequest
Database Perspective
Hidden Fields
E-mails and Spam
Summary
Related Resources
What ASP.NET Developers Should Always Do
If you're reading this article, you probably don't need to be lectured about the growing importance of security in Web applications. You're likely looking for some practical advice on how to implement security in ASP.NET applications. The bad news is that no development platform—including ASP.NET—can guarantee you'll be writing 100-percent secure code once you adopt it—who tells that, just lies. The good news, as far as ASP.NET is concerned, is that ASP.NET, especially version 1.1 and the coming version 2.0, integrates a number of built-in defensive barriers, ready to use.
The application of all these features alone is not sufficient to protect a Web application against all possible and foreseeable attacks. However, combined with other defensive techniques and security strategies, the built-in ASP.NET features form a powerful toolkit to help ensure that applications operate in a secure environment.
Web security is the sum of various factors and the result of a strategy that goes well beyond the boundaries of the individual application to involve database administration, network configuration, and also social engineering and phishing.
The goal of this article is to illustrate what ASP.NET developers should always do in order to keep the security bar reasonably high. That's what security is mostly about—keep the guard up, never feel entirely secure, and make it harder and harder for the bad guys to hack.
Let's see what ASP.NET has to offer to simplify the job.
Where the Threats Come From
In Table 1, I've summarized the most common types of Web attacks and flaws in the application that can make them succeed.
Attack | Made possible by . . . |
Cross-site scripting (XSS) |
Untrusted user input echoed to the page |
SQL injection |
Concatenation of user input to form SQL commands |
Session hijacking |
Session ID guessing and stolen session ID cookies |
One-click |
Unaware HTTP posts sent via script |
Hidden field tampering |
Unchecked (and trusted) hidden field stuffed with sensitive data |
More at ....
Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks
http://msdn2.microsoft.com/en-us/library/ms972969.aspx