Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

ASP.net - Avoid getting hacked

  • 11-06-2009 12:23pm
    #1
    Registered Users, Registered Users 2 Posts: 507 ✭✭✭


    Hi guys,

    Im going to put up my first ASP.net site soon and im wondering if you can point me in the right direction to avoid getting hacked.

    I realise that SQL Injection is always an issue so I am going to ensure that any user input is rejected if it has sql keywords in it.

    What other areas should I look in?

    Im using a SQL Server database by the way and my hosting is with Black Knight.

    Thanks in advance


Comments

  • Registered Users, Registered Users 2 Posts: 9,560 ✭✭✭DublinWriter


    A general rule would be to implement a business logic layer to get around using explicit SQL statements in your asp.net code.


  • Registered Users, Registered Users 2 Posts: 507 ✭✭✭bigbadcon


    Im using stored procedures and code behind files if thats what you mean??

    Nothing is embedded in the page...


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    The best way of avoiding SQL Injection is by treating everything as suspicious! I wrote a relatively simple method which scrubs a given piece of text of invalid characters and I pass everything taken from a form/querystring/input through it.


  • Registered Users, Registered Users 2 Posts: 507 ✭✭✭bigbadcon


    Im gonna write something similar myself. Im not using query strings myself so its just form data I need to worry about.

    Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

    Also how do you send someone their password when they forget it if you've hashed it???


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    bigbadcon wrote: »
    Im gonna write something similar myself. Im not using query strings myself so its just form data I need to worry about.

    Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

    Also how do you send someone their password when they forget it if you've hashed it???

    You cant retrieve a hashed password, so you can only offer a password reset.

    If you use the .NET Membership provider it'll handle all that for you. Encrypted/Hashed passwords in the DB and the reset/resend password stuff as well.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,534 ✭✭✭FruitLover


    bigbadcon wrote: »
    Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

    Yes, of course. People often use the same passwords for several things, so if their password for your site gets exposed, it could also mean their password for email, other sites, etc is also exposed.


  • Registered Users, Registered Users 2 Posts: 4,114 ✭✭✭lukin


    Pardon me for not knowing WTF the op is on about, but how easily can an ASP site get hacked? I am almost finished an ASP.NET site and it has no embedded SQL, it's all stored procedures called from code-behind files.
    My db password is in the web.config file but it's not encrypted. Should it be?


  • Registered Users, Registered Users 2 Posts: 3,568 ✭✭✭ethernet


    FruitLover wrote: »
    Yes, of course. People often use the same passwords for several things, so if their password for your site gets exposed, it could also mean their password for email, other sites, etc is also exposed.
    Very true.

    If the OP decides to go with hashing instead of encryption, it would be advisable to salt the hash so that rainbow tables wouldn't be as big an issue in the event of your users' passwords getting into malicious hands.


  • Registered Users, Registered Users 2 Posts: 507 ✭✭✭bigbadcon


    lukin wrote: »
    Pardon me for not knowing WTF the op is on about, but how easily can an ASP site get hacked? I am almost finished an ASP.NET site and it has no embedded SQL, it's all stored procedures called from code-behind files.
    My db password is in the web.config file but it's not encrypted. Should it be?

    http://www.4guysfromrolla.com/articles/021506-1.aspx


  • Registered Users, Registered Users 2 Posts: 2,931 ✭✭✭Ginger


    I just gave a presentation on this to our .NET User Group and showed the 10 most common security mistakes in ASP.NET

    Presentation is here http://certsandprogs.blogspot.com/2009/06/nnug-stavanger-presentation.html

    To avoid SQL Injection, used Parameterised Queries. Watch for XSS too. Turn off Trace in production, as well as debug and use customErrors set to on or remoteOnly.

    Ecrypt anything that is sensitive and mind authorisation cookies.

    Encrypt your DB string in the web.config (quick and easy with 3 lines of code) (see here http://certsandprogs.blogspot.com/2009/05/encrypting-webconfig-online.html)


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 507 ✭✭✭bigbadcon


    Thanks for that Ginger.

    Really helpful post.


  • Registered Users, Registered Users 2 Posts: 1,002 ✭✭✭MargeS


    I have a .NET website for the last couple of years. I did it purely as a project to learn .NET and 'real world' hosting.
    While I've never been hacked successfully, sql injection is the most common method used in attempts. They try and inject alot of PHP code.
    But then again, my site would not be popular or interesting so it wouldn't attract that much interest. :o


Advertisement