How To Stop Your Website Being Stung
I was pleased to see this session from the ever-present Barry Dorrans as I'd wanted to see it at WebDD but went to Andy Westgarth's session instead. Barry took us through the OWASP Top Ten list of web application vulnerabilities, and demonstrated how to mitigate against them in code. This was a really good session for me as it's directly relevant to some security testing I've been involved with recently. Among the highlights were:
- Use the PrincipalPermission attribute to protect your code.
- When outputting user-entered content, HTMLEncode it - this protects you against persistent cross-site scripting that makes it past your input checking.
- Use the AntiXSS library's HTMLEncode method rather than the HttpServerUtility object's version as the AntiXSS library has more tests.
- Don't trust MIME types for uploaded files - I didn't know you could futz with this, although in retrospect I don't know why I'm surprised either.. And obviously never trust the uploaded file's extension (hangs head in shame).
- Use salts every time you do any form of encryption.
- Don't leak information. This could be through viewstate, or a YSOD.
- Pages have an OnError event, which you can use to call Server.Transfer to switch to your error screen, which doesn't indicate to the client that an error occurred.
WebForms vs MVC
I'd been looking forward to this meeting for a couple of weeks, and I wasn't disappointed. Billed as Clash of the Titans, this featured Phil Winstanley speaking for WebForms and Sebastian Lambla on the side of MVC. It was the first time I've seen Seb present, and he's, um, energetic :-) I thought Seb got sidetracked into more of a TDD demonstration halfway through rather than keeping on topic with MVC. It was interesting to see Phil do some ASP.NET testing with WaTiN - it's something I must look at. There's a DDD session waiting to happen for someone to do some comparisons between WaTiN, Selenium and the Lightweight Test Framework - ASP.NET Testing Smackdown anyone? Nice to see SessionPageStatePersister make an appearance too - everyone should use it!
As holder of the WebForms Thumb (you had to be there!) I'd love to report that Phil carried the day, however commentators agreed it was a draw, but it would be interesting (hint hint guys!) to see a 'rematch' once there is some guidance on what types of application suit either school of thought - this is definitely the weak spot with MVC right now.