asp_net_mvc_security_check_list [Stephen's Wiki]

User Tools

Site Tools


asp_net_mvc_security_check_list

ASP.NET MVC Security Check List

Threat: Cross-Site Scripting

  • Use the AntiXSS NuGet package - or not as it appears to be very broken and abandoned at the moment.
  • Review all views and ensure that content is correctly encoded. As the Razor engine HTML encodes by default, look for:
    • Any use of @Html.Raw() and ensure that there is no possible way a malicious user could inject anything into it.
    • Any use of @… in JavaScript code. This should be encoded with the @Encoder.JavaScriptEncode() method.

Threat: Cross-Site Request Forgery

  • Review all views ensure that all <form> elements contain a @Html.AntiForgeryToken().
  • Review all POST controller actions and ensure that have the [ValidateAntiForgeryToken] (a standard filter attribute) and [IsPostedFromThisSite] (a custom filter attribute).
  • Review all GET controller actions and ensure that they are idempotent (i.e. have no side-effects).

Threat: Cookie Theft

  • Ensure that the Web.config file contains <httpCookies domain=“” httpOnlyCookies=“true” requireSSL=“false” /> (prevents JavaScript from accessing cookies).

Threat: Over-Posting

  • Review all models and ensure each has a [Bind(Include=“Foo, Bar”)] attribute.

Threat: Open Redirection

  • (MVC 1 & 2) Review all controller action methods and ensure all return Redirect(url); method calls are preceded by a IsLocalUrl(url) check and failures are logged.
  • (MVC 3+) Either:
    • (Preferred) Review all controller action methods and ensure all return Redirect(url); method calls are preceded by a IsLocalUrl(url) check and failures are logged.
    • (Acceptable) Review all controller action methods and ensure no return Redirect(url); method calls exist (they should be replaced by return RedirectToLocal(url);).

Threat: Stack Trace Leakage

  • (Preferred) Use ELMAH and in the machine.config of the web server (found at %windir%\Microsoft\.NET\Framework\<frameworkversion>\Config), switch on 'retail':
    <system.web>
      <deployment retail="true" />
    </system.web>

    This will set customErrors mode to On and disable trace output and debug. It can not be overridden by the Web.config.

  • (Acceptable) Use ELMAH and in the Web.config set customErrors mode to On:
    <system.web>
      <customErrors defaultRedirect="GenericError.html" mode="On">
        <error statusCode="500" redirect="InternalError.html"/>
      </customErrors>
    <system.web>

General

  • Review all controller classes and ensure that only methods that are intended to be exposed as action methods are marked public - all others must be protected or private.
asp_net_mvc_security_check_list.txt · Last modified: 2016/12/31 11:05 (external edit)