Last post Nov 21, 2011 06:31 PM by lbriner
Nov 05, 2011 02:08 AM|initial_a|LINK
sir, can someone explain me my web is asp .net 3.5 i try learn asp by self-thaught and without lecture or anything..today i make a web asp n working in a IT Company where they told me to make web company.. finally the web is finished.and when hosted on a
1. default page,
2. dynamic asp css,
3. view page...
how can someone insert malicious script.. whats wrong with my asp security i little blank about asp security. (my background php dev).
Nov 05, 2011 08:56 AM|Topspy|LINK
Probably a file permission issue on your website folder, you should remove the write access if it's not necessary.
Nov 05, 2011 08:57 AM|ignatandrei|LINK
Talk with your hosting. If they put on css - there is their's fault
Nov 06, 2011 03:25 AM|initial_a|LINK
thank you sir..
i just try :
1. change my asp header enableEventValidate -> true and validationRequest -> true.
2. re-check file permission..
3. change my hosting account password or ftp...
Nov 06, 2011 07:19 AM|ignatandrei|LINK
delete all site and re-deploy
Nov 17, 2011 09:08 AM|deepakaitr|LINK
This is genrally known as cross site scripting attackes.
this can be removed by using AntiXSS library or SRE(security run time engine) in .net
using this no java script injection is possible it will directly expire your web session.
Nov 21, 2011 06:31 PM|lbriner|LINK
Well although I applaud the fact that you have taught yourself, when it comes to security, really you need to take some formal training. There are in fact many ways to attack a web site, some by obtaining login credentials, sometimes just by weaknesses in
the application itself. However good you are, you will never spot all of these weaknesses yourself, which is why proper training is so important. If you want to spend some time reading up on it then look at owasp.org who have many articles and checklists about
securing your site.
The easiest ways to keep it secure is to check all user input at the server (even if you also check on the client) and make sure that it is very hard therefore to inject anything like SQL or scripts. Remove any unused methods in the code behind, and DO NOT
use a system admin type login between the web application and the database.