Text and determine whether or not the application??™s
developers made proper use of SQL query parameterization.
Remember that you get the advantage of safe only SQL functions if you use them. As
an attacker, pay attention and go after spots where developers have either been
unknowledgeable or lazy when working with SQL.
Chapter 5: .Net Security 123
CROSS-SITE SCRIPTING AND ASP.NET
ASP.Net has several methods to protect web applications against cross-site scripting
(XSS) attacks. While these mechanisms can assist in preventing XSS vulnerabilities, they
are not infallible and can lend developers a false sense of security. In this section, an
overview of ASP.Net??™s XSS protections is provided along with some of the common
ways in which the protections are misused.
Input Validation
One of the first lines of defense in an ASP.Net application is the use of input validators.
Input validators can be applied to input fields and verify that user fields are populated
and contain appropriate information. Each validator control is associated with an
ASP.Net input control. The controls will perform client-side validation and perform
validation server-side as well. The .Net Framework has four validator classes:
??? RequiredFieldValidator Ensures that a user has entered data into the
associated input control.
Pages:
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242