Cheat Sheet: ASP.NET 2.0 Security Inspection Questions

From Guidance Share

Revision as of 03:50, 6 March 2007; Admin (Talk | contribs)
(diff) ←Older revision | Current revision | Newer revision→ (diff)
Jump to: navigation, search
Vulnerability Questions
SQL Injection
  • Non-validated input used to generate SQL queries
  • Is the application susceptible to SQL injection?
  • Does the code use parameterized stored procedures?
  • Does the code use parameters in SQL statements?
  • Does the code attempt to filter input?
Cross-Site Scripting
  • Unvalidated and untrusted input in the HTML output stream
  • Does the code echo user input or URL parameters back to a Web page?
  • Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?
Input/Data Validation
  • Reliance on client-side validation
  • Use of input file names, URLs, or user names for security decisions
  • Application-only filters for malicious input
  • Does the code rely on client-side validation?
  • Does the code accept path or file-based input?
  • Does the code validate data from all sources?
  • Does the code use a centralized approach to input and data validation?
  • Does the code validate URLs?
  • Does the code use MapPath?
Authentication
  • Weak passwords
  • Clear text credentials in configuration files
  • Passing clear text credentials over the network
  • Long sessions
  • Mixing personalization with authentication
  • Does the code enforce strong user management policies?
  • Does the code partition the Web site into restricted and public access areas?
  • Does the code use protection="All"?
  • Does the code restrict authentication cookies to HTTPS connections?
  • Does the code use SHA1 for HMAC generation and AES for encryption?
  • Does the code reduce ticket life time?
  • Does the code keep personalization cookies separate from authentication cookies?
  • Does the code use distinct cookie names and paths?
Forms Authentication
  • Failure to protect the forms authentication cookie
  • Forms authentication cookies are shared by multiple applications
  • Passwords are stored in a database in clear-text
  • Does the code persist forms authentication cookies?
  • Does the code reduce ticket life time?
  • Does the code use protection="All"?
  • Does the code restrict authentication cookies to HTTPS connections?
  • Does the code use SHA1 for HMAC generation and AES for encryption?
  • Does the code keep personalization cookies separate from authentication cookies?
  • Does the code use distinct cookie names and paths?
  • How does the code store passwords in databases?
Authoriztion
  • Reliance on a single gatekeeper
  • How does the code protect access to restricted pages?
  • How does the code protect access to page classes?
  • Does the code use Server.Transfer?
Code Access Security
  • Improper use of link demands or asserts
  • Code allows untrusted callers
  • Does the code use link demands or assert calls?
  • Does the code use AllowPartiallyTrustedCallersAttribute?
  • Does the code use potentially dangerous permissions?
  • Does the code give dependencies too much trust?
Exception Management
  • Failing to use structured exception handling
  • Revealing too much information to the client
  • Does the code handle errors and exception conditions?
  • Does the application fail securely in the event of exceptions?
  • Does the application expose sensitive information in user sessions?
Impersonation
  • Revealing service account credentials to the client
  • Code executes with higher privileges than expected
  • Does the application use hard-coded impersonation credentials?
  • Does the application clean up properly when it uses impersonation?
Sensitive Data
  • Storing secrets in code
  • Storing secrets in clear text
  • Passing sensitive data in clear text over networks
  • Does the code store secrets?
  • Is sensitive data stored in predictable locations?
  • Does the code store secrets?
Data Access
  • Failing to protect database connection strings
  • Using over-privileged accounts to access SQL Server
  • Does the application use SQL authentication?
  • How does the application store database connection strings?
Cryptography
  • Using custom cryptography
  • Using the wrong algorithm or too small a key size
  • Failing to secure encryption keys
  • Using the same key for a prolonged period of time
  • Does the code use custom cryptographic algorithms?
  • Does the code use the correct algorithm and an adequate key size?
  • Does the code generate random numbers for cryptographic purposes?
  • How does the code manage and store encryption keys?
Unsafe Code
  • Buffer overrun in unmanaged code or code marked /unsafe
  • Integer overflow in unmanaged code or code marked /unsafe
  • Format string problem in unmanaged code or code marked /unsafe
  • Array out of bounds in unmanaged code or code marked /unsafe
  • Is the code susceptible to buffer overruns?
  • Is the code susceptible to integer overflows?
  • Is the code susceptible to format string problems?
  • Is the code susceptible to array out of bound errors?
Potentially Dangerous Unmanaged APIs
  • A potentially dangerous unmanaged API is called improperly
  • Does the code call potentially dangerous unmanaged APIs?
Auditing and Logging
  • Sensitive data revealed in logs
  • Does the application log sensitive data?
Personal tools