Microsoft patterns & practices are Microsoft's recommendations for how to design, develop, deploy, and operate architecturally sound applications for the Microsoft application platform.
How Tos
- How To: Prevent Cross-Site Scripting in ASP.NET - This How To shows how you can help protect your ASP.NET applications from cross-site scripting attacks by using proper input validation techniques and by encoding the output. It also describes a number of other protection mechanisms that you can use in addition to these two main countermeasures. Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all input is malicious. Constrain and validate all input. Encode all output that could, potentially, include HTML characters. This includes data read from files and databases.
- How To: Use Regular Expressions to Constrain Input in ASP.NET - This How To shows how you can use regular expressions within ASP.NET applications to constrain untrusted input. Regular expressions are a good way to validate text fields such as names, addresses, phone numbers, and other user information. You can use them to constrain input, apply formatting rules, and check lengths. To validate input captured with server controls, you can use the RegularExpressionValidator control. To validate other forms of input, such as query strings, cookies, and HTML control input, you can use the System.Text.RegularExpressions.Regex class.
- How To: Protect From Injection Attacks in ASP.NET - This How To shows how you can validate input to protect your application from injection attacks. Performing input validation is essential because almost all application-level attacks contain malicious input. You should validate all input, including form fields, query string parameters, and cookies to protect your application against malicious command injection. Assume all input to your Web application is malicious, and make sure that you use server validation for all sources of input. Use client-side validation to reduce round trips to the server and to improve the user experience, but do not rely on it because it is easily bypassed. To validate input, define acceptable input for each application input field. A proven practice is to constrain input for length, range, format, and type. Use the list of acceptable characters to define valid input, instead of the list of unacceptable characters. Using the list of unacceptable characters is impractical because it is very difficult to anticipate all possible variations of bad input. When you need to accept a range of HTML characters, make sure that you HTML-encode the data to make it safe prior to displaying it as output.
See also "patterns & practices Security How Tos Index" that provides an index of patterns & practices Security How Tos organized into multiple views by category.
patterns & practices Guidance Explorer
"patterns & practices Guidance Explorer" is a tool that enables discovery, composition and consumption of high quality development guidance. Guidance Explorer installs with a connection to the patterns & practices guidance library including performance and security topics for .NET, ASP.NET, and ADO.NET applications. The guidance library contains a variety of guidance types including checklists and guidelines covering design, implementation and deployment topics.