vb.net barcode generator source code Lesson 4: Minimizing Cross-Site Scripting in Visual Studio .NET

Creator Denso QR Bar Code in Visual Studio .NET Lesson 4: Minimizing Cross-Site Scripting

Lesson 4: Minimizing Cross-Site Scripting
QR Code 2d Barcode Creation In .NET Framework
Using Barcode creation for Visual Studio .NET Control to generate, create QR image in VS .NET applications.
www.OnBarcode.com
Recognize Quick Response Code In VS .NET
Using Barcode reader for .NET framework Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
2-45
Bar Code Creation In .NET
Using Barcode printer for .NET framework Control to generate, create barcode image in .NET framework applications.
www.OnBarcode.com
Scan Bar Code In .NET Framework
Using Barcode reader for Visual Studio .NET Control to read, scan read, scan image in .NET framework applications.
www.OnBarcode.com
Exercise
QR-Code Creator In Visual C#
Using Barcode generation for .NET Control to generate, create QR image in .NET applications.
www.OnBarcode.com
QR Code Printer In Visual Studio .NET
Using Barcode creator for ASP.NET Control to generate, create QR Code ISO/IEC18004 image in ASP.NET applications.
www.OnBarcode.com
Answer the following question to show that you can implement best practices for val idating potentially malicious request parameters and echoing them back to the user s browser. 1. How would you recommend creating a form that meets everyone s requirements
Making QR In Visual Basic .NET
Using Barcode generation for .NET framework Control to generate, create QR Code ISO/IEC18004 image in .NET framework applications.
www.OnBarcode.com
Painting Data Matrix ECC200 In .NET Framework
Using Barcode encoder for Visual Studio .NET Control to generate, create Data Matrix image in Visual Studio .NET applications.
www.OnBarcode.com
Lesson Summary
Making PDF 417 In VS .NET
Using Barcode creation for .NET framework Control to generate, create PDF-417 2d barcode image in VS .NET applications.
www.OnBarcode.com
Generating Code39 In Visual Studio .NET
Using Barcode generation for VS .NET Control to generate, create ANSI/AIM Code 39 image in VS .NET applications.
www.OnBarcode.com
Sanitize user comments that are displayed to other users by removing all HTML encoding. When necessary, you can allow a limited number of very specific HTML codes. Always sanitize request parameters by removing HTML codes. ASP.NET 1.1 pro vides this functionality automatically.
Painting Denso QR Bar Code In .NET Framework
Using Barcode encoder for .NET framework Control to generate, create QR Code image in .NET framework applications.
www.OnBarcode.com
Print ISSN In VS .NET
Using Barcode creation for .NET Control to generate, create ISSN image in .NET applications.
www.OnBarcode.com
2-46
Barcode Reader In C#.NET
Using Barcode Control SDK for VS .NET Control to generate, create, read, scan barcode image in .NET framework applications.
www.OnBarcode.com
Scanning GS1-128 In Visual C#
Using Barcode decoder for .NET Control to read, scan read, scan image in .NET framework applications.
www.OnBarcode.com
2
Bar Code Drawer In VB.NET
Using Barcode encoder for Visual Studio .NET Control to generate, create bar code image in .NET framework applications.
www.OnBarcode.com
Recognizing PDF-417 2d Barcode In VB.NET
Using Barcode scanner for .NET framework Control to read, scan read, scan image in VS .NET applications.
www.OnBarcode.com
Using Secure Coding Best Practices
Encode QR-Code In Java
Using Barcode maker for Android Control to generate, create QR Code image in Android applications.
www.OnBarcode.com
QR Drawer In VB.NET
Using Barcode generator for .NET framework Control to generate, create QR Code ISO/IEC18004 image in .NET applications.
www.OnBarcode.com
Lesson 5: Reporting Errors and Handling Failures
Reading Barcode In .NET
Using Barcode recognizer for .NET Control to read, scan read, scan image in .NET applications.
www.OnBarcode.com
Painting Code 39 In Visual Basic .NET
Using Barcode maker for .NET Control to generate, create USS Code 39 image in .NET applications.
www.OnBarcode.com
If you follow the guidance in this book, your application will generate errors when attacked. Generating an error is certainly much better than being exploited by an attacker, but the process of reporting errors can also become a vulnerability. To main tain security after an unexpected exception or other failure occurs, you must reduce the user s privileges (if necessary), record information about the error in a private loca tion, and provide as little information to the end user as possible.
After this lesson, you will be able to
Describe the importance of ambiguous error messages and why you should allow only
administrators to view detailed error messages.
Write code that stores error message information in the event log. Write code that shows detailed error messages to privileged users. Reduce vulnerabilities to denial-of-service attacks by closing database connections
when an unhandled exception occurs.
Write code that defaults to a more secure mode.
Estimated lesson time: 25 minutes
Why You Should Allow Only Administrators to View Detailed Error Messages
Any details about the inner workings of your application that an attacker gains access to can potentially be used to identify a vulnerability. For this reason, attackers com monly use port scanning and system profiling to gain information about a target com puter. Often, one of the most detailed sources of information for attackers is error messages. Everyone has been frustrated by ambiguous error messages at some point. For exam ple, consider this error message found in the author s application event log: Faulting application , version , faulting module , version 0.0.0.0, fault address 0x00000000 . This message doesn t provide any information that would be useful for troubleshooting the problem. To avoid this frustration and to facilitate troubleshooting, good developers provide very detailed error messages. Although this is a very user-friendly practice, it can also weaken the security of your application. You should not provide detailed error messages to end users, but you should allow administrators and developers to view error messages. ASP.NET provides an excellent example of how to handle reporting errors. Figure 2-12 shows a detailed error message about an unhandled exception in an ASP.NET applica tion. As you can see, this message includes highly confidential source code, the full physical path to the file, and a stack trace all information an attacker could abuse.
Lesson 5: Reporting Errors and Handling Failures
2-47
F02NS12
Figure 2-12
Details of an ASP.NET error
ASP.NET limits the risk of providing detailed error messages by displaying them only to users logged on to the local computer. Generally, attackers won t be visiting a Web page from the console of the Web server, and as a result will not be able to view the detailed error message. However, developers and administrators still have the option of connecting to the server s console to reproduce the error. Figure 2-13 shows the error message that ASP.NET returns to users requesting the same page across the network.
F02NS13
Figure 2-13
Ambiguous error message sent to end users connecting across a network
2-48
2
Using Secure Coding Best Practices
How to Store Error Messages in the Event Log
Obviously, unhandled exceptions are not a concern because the .NET Framework will not reveal detailed information to end users. However, your application should catch the majority of exceptions, making you responsible for handling error reporting for those exceptions that really do indicate error conditions. Fortunately, recording detailed error messages without giving away your secrets to an attacker is easy. First, if your application is not running as an administrator, you must register an event source on the application server. To manually add the event source: 1. Log on as an administrator to the application server. 2. Launch the Registry Editor by clicking Start, clicking Run, typing regedit, and then clicking OK. 3. Locate the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application 4. Right-click the Application subkey, click New, and then click Key. 5. Type the name of your event source for the key name (for example, My Application). 6. Close the Registry Editor.
Copyright © OnBarcode.com . All rights reserved.