Improving Web Application Security: Threats and - CGISecurity

Chapter 10: Building Secure ASP.NET Pages and Controls 277Use the Security AttributeInternet Explorer 6 and later supports a new security attribute on the and elements. You can use the security attribute to apply the user’s RestrictedSites Internet Explorer security zone settings to an individual frame or iframe. Bydefault, the Restricted Sites zone doesn’t support script execution. If you use thesecurity attribute, it must currently be set to “restricted” as shown below:Use the innerText PropertyIf you create a page with untrusted input, use the innerText property instead ofinnerHTML. The innerText property renders content safe and ensures that script isnot executed.AuthenticationWeak authentication increases the identity spoofing threat. If a user’s logoncredentials fall into the wrong hands, an attacker can spoof the user’s identity andgain access to the application. The attacker shares all of the user’s privileges in theapplication. Credentials must be protected as they are passed over the network andwhile they are persistent, for example, in the application’s user store. Theauthentication cookie that represents an authenticated identity to the application afterthe initial logon must also be protected to mitigate the risk of session hijacking andcookie replay attacks.Forms AuthenticationThe threat of session hijacking and cookie replay attacks is particularly significant forapplications that use Forms authentication. You must take particular care whenquerying the database using the user-supplied credentials to ensure that you are notvulnerable to SQL injection. Additionally, to prevent identity spoofing, you shouldmake sure that the user store is secure and that strong passwords are enforced.The following fragment shows a “secure” Forms authentication configuration inWeb.config: Sliding session lifetime