A report published by SANS in September 2009 entitled “The Top Cyber Security Risks” found that web application attacks constituted more than 60% of the total attacks observed on the Internet. SQL injection, cross-site scripting (XSS) and file inclusion were the three most popular techniques used in successful attacks. All three are the direct result of lax data validation and insecure code.
There are six controls included in the framework: RequireFieldValidator, CompareValidator, RangeValidator, RegularExpressionValidator, and CustomValidator.
Parameterised SQL queries are a secure alternative to concatenating chunks of SQL syntax with user input and prevent SQL injections. Placeholders are used to represent where user input will be substituted into a query, and the user input is validated before substitution occurs. Using parameterised queries also offers some performance benefit, as strings are no longer being concatenated, which can be computationally intensive.
The Microsoft Anti-XSS Library is an encoding library designed to help developers protect against cross-site scripting attacks. This provides a whitelist approach that defines a valid or permitted character set and encodes anything outside that set.
Request validation is a feature that is activated by default in the Framework which identifies suspicious user input strings and stops the execution of pages by throwing exceptions. However, that will not prevent all possible attacks and should not be relied on.
It is important to have defense in depth, as it is possible that one or more aspects of your information security may be circumvented or broken at any time.…