Pen testing your MVC application

StackOverflow https://stackoverflow.com/questions/2144953

Question

Here are some the commonly known practices for securing an MVC application:

  • Encode your output
  • Parameterize your SQL
  • Test your search backwards and forward
  • 1 way hash passwords
  • Lock out accounts or limit login attempts
  • Use code based impersonation when accessing the file system
  • Access SQL with a locked down username
  • Use Honey-pots or captchas for form submissions to counter bots

If there are any I missed or misstated please feel free to contribute.

What other techniques/best practices do you use or think about when pen testing your own software. What do you do to "kick the tires" before taking a applications live.

What pen testing services or software do you use if any?

Was it helpful?

Solution

All methods that use modelbinding should be secured with whitelists or blacklists on bindable properties.

string[] allowedProperties = new[]{ "Title", "Description"};
UpdateModel(myObject, allowedProperties);

or

[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create([Bind(Include="Title,Description")] MyObject object )
{

}

This is of course to prevent crafted requests from attempting to update/manipulate your objects in ways that weren't intended.

OTHER TIPS

Your list is good, although it is a bit vague. For instance md4 is a one way hash, but its extremely insecure as i can generate a collision on my desktop in less than a day. sha256 with a large salt value is a more secure approach. (I know even this is description incomplete, don't flame)

There is never a catch all security check list that will work across the board. Specific applications can have specific vulnerabilities. Sometimes these flaws can be logic errors that really don't have a classification.

The OWASP Top 10 web application vulnerabilities is an excellent resource that you should study. Most notably you are missing XSRF on your list which can be a devastating attack. There are a large number of "sink" based attacks which you have not listed. For instance what if an attacker could pass in a path of his choice to fopen? A Study In Scarlet goes over many of these attacks against PHP.

All of your suggestions apply to any web application, not just MVC applications.

An MVC-specific suggestions would be something like "skinny controllers, fat models".

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top