Awhile back, Scott Guthrie wrote a post entitled, Don’t run production ASP.NET Applications with debug=”true” enabled. I thought to myself that keeping debug = “true” certainly had to be one of the worst things you could do in a web application.
However, I found something worse in my opinion. I came across this chunk of code yesterday being recommended by one developer to another for website authentication in ASP.NET 2.0:
SqlCommand cmd = new SqlCommand(“SELECT DISTINCT UserId FROM
[User] WHERE (LoginId =’“+TextBox1.Text + “) AND
(LoginPwd=’“ + TextBox2.Text +“)“, cnn);
And, what’s worse, the developer said that he had already tried it
I think Microsoft has done an excellent job of pushing security over the past couple of years and has built so much into ASP.NET 2.0 that nobody should be writing or recommending code of this nature.
This has the obvious problem of being susceptible to Sql Injection Attacks. This developer also appears to be storing passwords as clear text in the database. Etc.
I realize nobody is perfect and all of us are learning new best practices and techniques daily, but security is not a good place to learn things by trial and error IMHO.
SQL Injection Attacks
For those of you who are unfamiliar with SQL Injection Attacks, you can check out the following MSDN Article, Stop SQL Injection Attacks Before They Stop You. I wrote something up a long time ago, too, called SQL Injection Attacks – Parameterized Queries – Regular Expressions – ASP.NET Security Best Practices.
ASP.NET 2.0 Security Best Practices
Microsoft has a really good article, called Security Practices: ASP.NET 2.0 Security Practices at a Glance, that does a really good job of discussing ASP.NET 2.0 Security Best Practices.
ASP.NET 2.0 Membership, Roles, Forms Authentication, and Security Resources
Scott Guthrie put together a nice list of resources for anyone wanting to learn more about ASP.NET 2.0 Membership and Security so that you don’t roll your own:
Microsoft Threat Analysis & Modeling v2.0 BETA2
Microsoft has a free tool for threat analysis and modeling:
“Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:
- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports”
Check it out here. I think it is still in BETA2.
Plenty of good information out there on ASP.NET 2.0 Security. My recommendation is essentially not to roll your own. Leverage the ASP.NET 2.0 Membership, which takes care of everything for you.