A "MUST-DO" LISt for an ASP.Net programmer

These days I’m working on a job portal namely NaukriJunction (mainly porting the9yards.com from PERL to .Net, infact not only porting but adding new functionalities too.) Few days back, I made a ‘Login Report,’ finished it up, everything was working fine but somehow every time the page draw itself, it was showing me a message box saying “System Error.” I thought there might be some problem with JavaScript but the thing was that the page wasn’t using any JavaScript written by me. In the mean time my manager gave me a visit, I showed him that the feature is complete and sheepishly added that a small error is coming but I’ll fix it shortly. That wise man looked at the error, and after looking here and there, he said, have a look at the user input and then I realized that a user was giving his name as “(<)script language=”javacript(>)”system Error(<)/script(>).”(Angle brackes were not in parenthesis :( I'm using it just to keep my blogs free from errors) Aaaaaaaahhhhhh…well that’s a very simple and a very good example of malicious input. On our part we’ve done everything right but in the web world this is nothing but a false sense of security.
That’s the beauty of web, its opened to everyone, attack can come from anywhere, and such a simple and innocent looking input can turn a programmer’s life into a dog’s life. You are wondering that why I’m calling it a ‘beauty,’ well I think its giving us programmers a tailor made situation to show our skills :D.
I won’t be talking about web application security, as its detailed discussion will be out of the scope of this blog. I would just list down some very basic steps, which an ASP.Net programmer should take in order to make their applications less vulnerable. Infact I would advice you to add them to your “MUST DO” list.

1. Every ASP.Net page have a property namely “validateRequest,” by turning it on, you asks ASP.Net to keep a check that no user would be able to give anything like “(<)ABC(>)” as input. If you want to apply it to all pages, you may define it in web.config’s page tag (inside system.web tag.) Now, if you turn it on, ASP.Net catches the input but do not give the control to the page(so you won’t be able to catch the error,) ASP.Net shows an ugly error(to developer) saying that there’s some malicious input. With normal web.config settings, your site user won’t see this detailed error message, but he would see that an error has occurred on the system. You don’t want to show that ‘not-so-beautiful’ error page, so better handle server error “500” in web.config and redirect your user to a page saying that such and such input is not allowed.
2. Now, for some reasons best known to yourself, you don’t want to turn “validateRequest.” That would be fine too. But now you’ll have to add some extra checks. Wherever you are showing user entered data, you’ll have to make sure that it is HtmlEncoded. asp:boundfield shows data in htmlencoded form, so one less thing for you to think about, and hence details view and datagrid will take care of their data, but if you are showing data, eg. in a label, you’ll have to apply “Server.HtmlEncode” on it. Even if in a datagrid/deatilsview you are defining a label in a template column,, you’ll have to apply Server.HtmlEncode on its text.
3. Another thing to care about, which you might’ve heared is “SQL Injection.” You are taking login information and performing e.g. the following query ,
String.Format(“SELECT * FROM [USER] AS U WHERE U.LOGIN= ’{0}’ AND U.PASSWORD=’{1}’”,login,password),
Where login=”bee’nish” and password=”*******”(;))
When the query will execute , it will simply throw an sql exception as ‘ is an special SQL character. Now some of you might want to escape it with ‘. But you never know what other character might cause the problem, so never go for dirty ways, always go for the right one, even if it requires more code. So always use parameterized values+command objects.

Hopefully, this would be of some help to you.
I have a lot of other topics in my mind, and I remember that I have to write things about Membership control, but I think this topic was more important.
Best of luck to you!
Beenz