Even if you think that the browser is secure enough to rely on its sandboxed environment, the reality is that HTTP, the protocol behind the web, is simple, so building a tool to send specially crafted requests is not too difficult. By inspecting values coming with the request, you can add more security to your applications with little effort.
Improper values are dangerous because they can alter the application behavior, generate runtime exceptions, and expose the error details to an attacker. You need a unified approach to sanitize these values and protect your application.
Rule number 1 of security is use common sense. With that in mind, it’s obvious that the first action you should perform is to check for data type consistency. If you know that a parameter can contain only integer values, it’s a good practice to check that the passed value respects this requisite. Most primitive types (like System.Integer, System.DataTime, and System.Boolean) offer a useful TryParse static method. This method checks that the corresponding value is convertible to a given type. If the conversion takes place, the value is saved in the variable and used in conjunction with the original value. The following listing shows a simple example for parsing an Integer value from the query string.
int id;
if (int.TryParse(Request.QueryString["ID"], out id))
{
}
As you can see, the default error page when the app is in debug mode also shows a fragment of the source code. Lazy developers frequently leave an application in debug mode even when it’s deployed; these developers have to be lucky enough to have no sensitive information coming out with the default error message.
0 comments:
Post a Comment