Last post Nov 08, 2012 02:27 PM by GMann
Nov 08, 2012 01:36 PM|GMann|LINK
I have been tasked with coming up with a quick was of retrofitting an asp 2.0 to prevent Sql Injections attacks.
The site just underwent a local pen test which discovered a few "severe" errors related to viewstate, several web
server controls i.e. buttons, check boxes.
I think a large part of the solution is encoding - decoding the values in the controls and I know that I have done this
a code behind event before html.encode , etc. .
Am I correct ?
And my other inclination is to updating the site to vs 2010 / asp framework 4 - 4.5 because of built in security with
the web controls.
Would updating be faster ?
I wish I had time to do it right and update to asp.net MVP but I don't.
Thanks for your opinion !
Nov 08, 2012 01:58 PM|BrockAllen|LINK
The biggest problems are probably XSS attacks, so you need to HtmlEncode all untrusted values. Unfortunately you will have to check this control-by-control because some controls in ASP.NET automatically HtmlEncode their properties before rendering, but others
Security is something that should be designed into the app and there's no "quick fix".
Nov 08, 2012 02:27 PM|GMann|LINK
This application was created in 2007 and has not has security maintenance done in a while.
The security fixes hav eto be done quickly as this site is out of service while this gets "fixed".