Wednesday, 20 May 2015

ASP.Net Cheat Sheet and best practises

I have prepared some cheat-sheet to get into consideration while working on any ASP.Net project.

  1. Authentication and authorization policies
  2. Input Validation
    Security Parameters Alignment
    Confirm the input range is checked at Form textbox controls.
    Confirm RequiredFieldValidator is implemented.
    Confirm RegularExpressionValidator is implemented.
    Confirm RangeValidator is implemented.
    Textbox is properly validating the input length and type to SQL injection attack.
    Confirm cookies and query strings are being validated by the Regex class.
    Confirm the HttpOnly cookie option is applied to defend from an XSS attack.
    Confirm if actual output is encoded with urlEncode and HtmlEncode.

  3. Parameters Handling
    Security Parameters Alignment
    Confirm query strings data are encrypted.
    Confirm form viewstate is encrypted.

  4. Session Data Handling
    Security Parameters Alignment
    Confirm connections strings are encrypted.
    Confirm session cookies data are hashed.

  5. Sensitive Data Protection
    Security Parameters Alignment
    Confirm sensitive data is not stored in web.config file in plain text.
    Confirm sensitive data does not reside in cookies, query strings, and hidden forms fields.
    Confirm server side state management is applied for clear text passing of data across the pages.

  6. Web services
    Security Parameters Alignment
    Confirm redundant Web service protocols, including HTTP GET and HTTP POST, are disabled.
    Confirm Input to Web methods is validated for, length, type, range, and format.
    Confirm Web service running with least-privileged process account.
    Confirm SOAP messages are passed only in encrypted form over communication channels.

  7. Exception Handling Management
    Security Parameters Alignment
    Confirm every occurred exception is recorded on the server.
    Confirm structure exception handling is applied to each code file.
    Confirm application level exception handling is applied.
    Confirm Page level exception handling is applied.

  8. Web.Config File Administration 
    Security Parameters Alignment
    Confirm enableViewState is disabled, if application doesn't rely on view state.
    Confirm enableViewStateMac is enabled, if application uses view state.
    Confirm httpMaxLength to prevent users from being able to upload a large-sized file.
    Confirm application is forced to use authentication by allowOverrride tofalse.
    Confirm customErrors option is enabled.

  9. Privilege Management
    Security Parameters Alignment
    Confirm ASP.NET process account has Read permission to system root directory (%windir\System32).
    Confirm impersonate account has Read permission to GAC (%windir\assembly).
    Confirm process account has Read and Execute permission to solution content directory.
    Confirm ASP.NET process account has Read and execute permission to Framework directory (%windir\Microsoft.NET\Framework).
    Confirm process account has Full control permission to Temporary files (%windir%\Microsoft.NET\Framework\{version}Temporary ASP.NET Files)

  10. Deployment
    Security Parameters Alignment
    Confirm debug compilation is disabled.
    Confirm trace is disabled.
    Confirm access is denied by authentication configuration removed.
    Confirm Bin directory doesn't have read or write permission.
    Confirm Bin directory doesn't have directory browsing permission.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)