So I’m googling this question and can’t really find any clear examples since almost all related stories are about websites with user log-in’s etc.
so my scenario is as follows, asp.net MVC3 website, no user login, nothing.
I do have some forms on there though, contact and some calculation features.
I use Nhibernate, and have my Smtp server credentials in the code itself, not in the web.config. I also have a custom error page and post methods have the [HttpPost] attribute.
As a final feature I have an AJAX/json get method that gets a list of titles.(this controller method has the [AcceptVerbs(HttpVerbs.Get)] attribute).
Am I missing some big security holes here(sql injection, cross site scripting)?
Thanks guys
You’d still be vulnerable to DDoS and DoS attacks, and if you don’t https then you’ll be vulnerable to MiM attacks.
Though NHibernate and ASP.NET MVC3 should cover most of your tracks for you. I would be very suprised if they didn’t have proper form validation client and server-side and that the db inputs aren’t made sanitised.
How do you manage your data? – Do you have a login just for admin?
If so, make you protect it, and for added measure, don’t put it on
/login/or/admin/!