I think that Cross Site Scripting and SQL Injection Attacks have to be one of the most commonly exploited security holes out there and I see tons of posts to security lists about XSS/SQL Injection holes in all sorts of applications. ASP.NET has a lot of builtin protections for these kinds of things but is not immune. For this article I am going to focus on XSS. I might post about SQL Injection later.
For those of you who don't know what XSS is I will give a simple example. Lets say that I put this value into a textbox: <script>Alert('Hello');</script>. Now when the data is viewed I will get this script alert as the data is written to the browser and if the browser trusts your site then it will run the code.
Lets expand on this and talk about cookies for example. A developer usually thinks of a cookie as something protected in that it can only be accessed from the website that created it. Now if I created a script that I submitted to your page that read that cookie and then lets say.... emailed it to me. The script I posted to your website through an input field would run in the context of your website and have access to the users cookies. I have now just stolen cookie information of every user that views the script I posted.
Hopefully we can all see the problem now. ASP.NET has a nice feature that looks for unsafe posts and throws an error (but only if validateRequest is set to true which it is by default). Although the validation is good I know it is not infalible. There will be some way around it wether it be encoding data (i.e. <script>), using different text encodings, or some other way to bypass the filters. I like adding in regular expression validators on input boxes to make sure it is alpha characters (i.e. [a-zA-Z0-9]).
Now most of our validation is done on input but not when we are outputting data. I like the technique of outputting data in an html encoded format like so:
Response.Write(HttpUtility.HtmlEncode($userSuppliedData));
This will take any special characters like < and > and convert them to their web safe froms like $lt; and > this would prevent the simple example from running.
Another interesting attack I have heard of in theory is to elevate privleges. Lets take a message board example that requires all posts to be moderated by an administrator. If I submit some malicious code into a post and then the admin reads it to moderate it the code is running under the admin privleges. In theory this could be used to grant yourself admin privs or maybe auto approve your own post. The possibilities are endless.
My best advice is do more reading on this and think about it every time you receive or display user input. I also think that your system should fail closed. By that I mean don't have a list of dissalowed characters, Instead have a list of allowed characters (i.e. [a-zA-Z0-9] instead of ![<>;]) you can always expand the known good characters but it is sooo easy to miss a bad one.
Links
MSDN article on SQL injectionMSDN article on XSS