ASP.net - Avoid getting hacked

bigbadcon

Hi guys,

Im going to put up my first ASP.net site soon and im wondering if you can point me in the right direction to avoid getting hacked.

I realise that SQL Injection is always an issue so I am going to ensure that any user input is rejected if it has sql keywords in it.

What other areas should I look in?

Im using a SQL Server database by the way and my hosting is with Black Knight.

Thanks in advance

DublinWriter

A general rule would be to implement a business logic layer to get around using explicit SQL statements in your asp.net code.

bigbadcon

Im using stored procedures and code behind files if thats what you mean??

Nothing is embedded in the page...

John_Mc

The best way of avoiding SQL Injection is by treating everything as suspicious! I wrote a relatively simple method which scrubs a given piece of text of invalid characters and I pass everything taken from a form/querystring/input through it.

bigbadcon

Im gonna write something similar myself. Im not using query strings myself so its just form data I need to worry about.

Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

Also how do you send someone their password when they forget it if you've hashed it???

John_Mc

bigbadcon wrote: »

Im gonna write something similar myself. Im not using query strings myself so its just form data I need to worry about.

Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

Also how do you send someone their password when they forget it if you've hashed it???

You cant retrieve a hashed password, so you can only offer a password reset.

If you use the .NET Membership provider it'll handle all that for you. Encrypted/Hashed passwords in the DB and the reset/resend password stuff as well.

FruitLover

bigbadcon wrote: »

Ive read that you should encrypt passwords in your db too.Is there any point though cause If a hacker got that far id be up sh*t creek already.

Yes, of course. People often use the same passwords for several things, so if their password for your site gets exposed, it could also mean their password for email, other sites, etc is also exposed.

lukin

Pardon me for not knowing WTF the op is on about, but how easily can an ASP site get hacked? I am almost finished an ASP.NET site and it has no embedded SQL, it's all stored procedures called from code-behind files.
My db password is in the web.config file but it's not encrypted. Should it be?

ethernet

FruitLover wrote: »

Yes, of course. People often use the same passwords for several things, so if their password for your site gets exposed, it could also mean their password for email, other sites, etc is also exposed.

Very true.

If the OP decides to go with hashing instead of encryption, it would be advisable to salt the hash so that rainbow tables wouldn't be as big an issue in the event of your users' passwords getting into malicious hands.

bigbadcon

lukin wrote: »

Pardon me for not knowing WTF the op is on about, but how easily can an ASP site get hacked? I am almost finished an ASP.NET site and it has no embedded SQL, it's all stored procedures called from code-behind files.
My db password is in the web.config file but it's not encrypted. Should it be?

http://www.4guysfromrolla.com/articles/021506-1.aspx

Ginger

I just gave a presentation on this to our .NET User Group and showed the 10 most common security mistakes in ASP.NET

Presentation is here http://certsandprogs.blogspot.com/2009/06/nnug-stavanger-presentation.html

To avoid SQL Injection, used Parameterised Queries. Watch for XSS too. Turn off Trace in production, as well as debug and use customErrors set to on or remoteOnly.

Ecrypt anything that is sensitive and mind authorisation cookies.

Encrypt your DB string in the web.config (quick and easy with 3 lines of code) (see here http://certsandprogs.blogspot.com/2009/05/encrypting-webconfig-online.html)

bigbadcon

Thanks for that Ginger.

Really helpful post.

MargeS

I have a .NET website for the last couple of years. I did it purely as a project to learn .NET and 'real world' hosting.
While I've never been hacked successfully, sql injection is the most common method used in attempts. They try and inject alot of PHP code.
But then again, my site would not be popular or interesting so it wouldn't attract that much interest.