Cheat Sheet: .NET Framework 2.0 Security Inspection Questions

From Guidance Share

Jump to: navigation, search
Vulnerability Questions
SQL Injection
  • Non-validated input used to generate SQL queries
  • Is the application susceptible to SQL injection?
  • Does the code use parameterized stored procedures?
  • Does the code use parameters in SQL statements?
  • Does the code attempt to filter input?
Cross-Site Scripting
  • Unvalidated and untrusted input in the HTML output stream
  • Does the code echo user input or URL parameters back to a Web page?
  • Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?
Input/Data Validation
  • Reliance on client-side validation
  • Use of input file names, URLs, or user names for security decisions
  • Application-only filters for malicious input
  • Does the code rely on client-side validation?
  • Is the code susceptible to canonicalization attacks?
  • Does the code validate data from all sources?
  • Does the code use a centralized approach to input and data validation?
Code Access Security
  • Improper use of link demands or asserts
  • Code allows untrusted callers
  • Does the code use link demands or assert calls?
  • Does the code use AllowPartiallyTrustedCallersAttribute?
  • Does the code use potentially dangerous permissions?
  • Does the code give dependencies too much trust?
Exception Management
  • Failing to use structured exception handling
  • Revealing too much information to the client
  • Does the code handle errors and exception conditions?
  • Does the application fail securely in the event of exceptions?
  • Does the application expose sensitive information in user sessions?
Impersonation
  • Revealing service account credentials to the client
  • Code executes with higher privileges than expected
  • Does the application use hard-coded impersonation credentials?
  • Does the application clean up properly when it uses impersonation?
Sensitive Data
  • Storing secrets in code
  • Storing secrets in clear text
  • Passing sensitive data in clear text over networks
  • Does the code store secrets?
  • Is sensitive data stored in predictable locations?
  • Does the code store secrets?
Cryptography
  • Using custom cryptography
  • Using the wrong algorithm or too small a key size
  • Failing to secure encryption keys
  • Using the same key for a prolonged period of time
  • Does the code use custom cryptographic algorithms?
  • Does the code use the correct algorithm and an adequate key size?
  • Does the code generate random numbers for cryptographic purposes?
  • How does the code manage and store encryption keys?
Unsafe Code
  • Buffer overrun in unmanaged code or code marked /unsafe
  • Integer overflow in unmanaged code or code marked /unsafe
  • Format string problem in unmanaged code or code marked /unsafe
  • Array out of bounds in unmanaged code or code marked /unsafe
  • Is the code susceptible to buffer overruns?
  • Is the code susceptible to integer overflows?
  • Is the code susceptible to format string problems?
  • Is the code susceptible to array out of bound errors?
Potentially Dangerous Unmanaged APIs
  • A potentially dangerous unmanaged API is called improperly
  • Does the code call potentially dangerous unmanaged APIs?
Auditing and Logging
  • Sensitive data revealed in logs
  • Does the application log sensitive data?
Personal tools