Problem: User Input
* All user input is inherently evil
* Malicious input can:
- Inject SQL statements
# Execute arbitrary SQL
# Damage limited only by privilege of data account
- Alter application flow
- Attack other users (cross-site scripting)
# Read/write cookies
# Execute script, etc.
Solution: Input Validation
* All user input should be cleansed
- ASP.NET validation controls
- RegEx class
- Reject invalid input
* Encode any input that is echoed to the browser
- HttpUlitity.HtmlEncode()
* Always use parameterized SQL queries
- Parameterized commands (good)
- Parameterized stored procedures (better)
ASP.NET Request Validation
* Validates query string, form data, cookies
* Developers still have responsibility to secure inputs
* Can be disabled at page-, application-, or machine-level