Building Secure Web Applications - ASP.NET

Security is the matter of the moment now! Building secure web applications is an integral part of today's web development owing to the alarmingly increasing number of hacking threats.

Some of the key things to keep in mind while building secure web applications are

1. Never expose open SQL Statements in your Code.

A statement "select username from users where username='"+ txtUserName.txt +"' and password ='" + txtPassword + "' "

can be easily hacked by a malicious user to read as follows:-

select username from users where username= ' ' OR ' '='' AND password= ''OR ''=''


The above statement will compare "nothing" to "nothing" which will always return True. This will authenticate the user and fetch the first username in the table.

To avoid such type of hacking always use Stored Procedures which are much secured and also good in Performance.


2. Always switch On Custom Errors in the web.config. They are friendly when switched off, only to us and not friendly when viewed by users. Make sure once you go for deployment, to make it either RemoteOnly or On

An ASP.NET Detailed error page can provide the exact error such as, where the application broke and if due to a SQL End problem, straight away can expose the TableName and thus the DB Structure.

Therefore, always use Custom Errors and take the users to a page which tells "Sorry for the Inconvenience..." once an error occurs in your application.

3. Validate all data received as input from the clients. A search textbox which gets search text from the user can very well prove an excellent source for a hacker to embed his SQL Statements, Scripts.

Therefore, ensure you turn the ValidateRequest="True" at the Page directive or do it at the web.config level.

Also, validate if the text entered contains any statement like SELECT, DELETE etc., before processing the information.

4. Never use sa username for your DB Connection String. Its most vulnerable and can be compromised with. Always use a custom Username and Password to access the database from your application.

5. Never store Passwords in your Database as plain text. Hash them or encrypt them to make them secured. Also, sending the password by Email is another source of security threat.

There are many more secure strategies which when followed provide a safe environment for your applications and perhaps can save a Bad Day for you due to hacking.

Cheers and Happy Programming!!

Print | posted on Monday, April 25, 2005 7:57 AM

Comments on this post

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
This is my first web site.
Left by raza on Apr 29, 2008 2:54 PM

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
Free gay chat with video. Calico film music design free gay video chat guys. Live gay live gay sex
Left by şişme bebek on Nov 20, 2008 1:26 PM

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
Thanks for this article it covers most of the basics I also would also add when connecting with a command object that you use typed variables as opposed to appending strings, and also encapsulate any database logic in objects with their own typed variables. Also make sure you test your site with something like mcafee securescan to ensure your validation is working and you havent missed anything.
Left by chris on Dec 10, 2008 7:35 PM

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
I also would also add when connecting with a command object that you use typed variables as opposed to appending strings
Left by mario oyunları on Sep 21, 2009 10:42 AM

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
Make sure you test your site with something like mcafee securescan to ensure your validation is working and you havent missed anything.
Designer Shoes
Left by jack on Jan 04, 2011 6:29 PM

# re: Building Secure Web Applications - ASP.NET

Requesting Gravatar...
: Please enter a comment
Left by Remember Me? on Apr 28, 2011 2:27 PM

Your comment:

 (will show your gravatar)