I have recently started a personal project that uses ASP.NET MVC (RC1 at the time of writing). My background is traditional ASP.NET WebForms development.
My knowledge ASP.NET MVC is limited, so I would like your input on how to best approach authentication, input validation and protection against common attacks (XSS, XSRF, etc).
I’ll start by listing a few articles Stephen Walther posted on his blog:
- Tip #7 – Prevent JavaScript Injection Attacks with Html.Encode
- Tip #10 – Prevent URL Manipulation Attacks
- Tip #46 – Don’t use Delete Links because they create Security Holes
Validation:
Thanks,
Arnie
Off the top of my head (and nowhere near complete)…
Use the AntiForgeryToken on all forms to protect against XSRF. Use unit tests to make sure that all controller actions that accept POSTS are decorated with the ValidateAntiForgeryToken attribute.
Make use of HtmlHelper extensions whereever possible to take advantage of automatic HTML encoding.
Use an ORM with parameterized queries for all DB access — not unique to MVC, but still relevant.
Be restrictive in the HTTP verbs that you accept to the minimum required. Use DELETE (vi AJAX) or POST for delete actions.
Use the AuthorizeAttribute, or an attribute derived from it, to protect non-public actions.
Don’t expose user ids/passwords in urls which might be cached (i.e., login via form POST rather than GET url). As always, use SSL for passing sensitive data.