2

我正在开发一个 MVC 5 互联网应用程序,并且有一些与安全性有关的问题。

我需要手动实施哪些安全措施来确保我的互联网应用程序是安全的?

这是我到目前为止所拥有的:

  • [ValidateAntiForgeryToken]HttpPost每个函数的属性
  • Sanitizer.GetSafeHtml具有HTML 数据的模型属性上的函数
  • Identity 2.1 用于认证和授权

提前致谢。

更新

该应用程序是一个简单的 MVC Internet 应用程序,具有托管在 Azure 上的 Web 服务。我正在使用 Entity Framework 6、Web API 2.0 和 MVC 5。我可以给你什么相关信息?

4

1 回答 1

2

That would cover you for XSRF and Stored XSS. You should also check for:

  • DOM XSS in javascript (when modifying the DOM using data from query string for example).
  • JSON hijacking
  • code injection (SQL injection if you are using a SQL DB for example)
  • enforce HTTPS for login (both login form and login post)
  • ... etc ...

The most common vulnerabilities are not technical bugs, for example you should:

  • Reduce the data you trust from the client. For example, if you have a shopping cart, it may look like a good idea to put the price as a hidden field in the buying form, so the server does not need to go to the DB to get the price for that product, but then the user may tamper the form and buy at $0, or even -$100.

  • Check that the user cannot fool multi-step forms, that for example allow him to order products without going through the payment page.

  • Check that if your application returns files by name, cannot do something like http://example.com/Home/GetFile?filename=..\..\Web.config.

  • Check that you are enforcing authorization BESIDES authentication. For example, a user 123 may be authenticated, but not authorized to check user 456 profile.

  • ... etc ...

The best thing to do, is check the OSWASP page : https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

于 2014-12-02T12:48:47.957 回答