3+3 ASP.NET Mistakes (+ How to avoid them)
ByteHide
Posted on November 19, 2021
The internet is a dangerous place, hackers are always looking for new ways to break into your system and steal your data.
As a developer, you know how important it is to protect your application. If your app is hacked, it can be a big problem for you and your customers. With the increase in internet security breaches and cyber attacks, protecting your app has never been more essential.
To help prevent potential threats, I'm going to share some mistakes and how to avoid them to help you better protect your ASP.NET applications.
The 3+3 is that I am going to explain 3 common simple ones and 3 security ones. Let's start with the most common ones
3 Common Mistakes made in ASP.NET 📚
ToLower() in LINQ Query Doesn't Work
The ToLower
function returns a lowercased duplicate of a string. When you try to compare numbers from multiple sources, though, this might result in a perplexing error. Consider the following example:
list = (from ds in dbContext.dotnetsaferServices
join c in dbContext.customer on ds.customerName equals c.customerName)
where (ds.shield.number.ToLower().Contains(productLicense.ShieldNumber.ToLower()))
One approach is use IndexOf
only with case-insensitive OrdinalIgnireCase
attribute within the query instead of .ToLower
:
list = (from ds in dbContext.dotnetsaferServices
join c in dbContext.customer on ds.customerName equals c.customerName)
Where (ds.shield.number.IndexOf(productLicense.ShieldNumber, StringComparison.OrdinalIgnoreCase) != -1))
Not Making Use of Dependency Injection
Assume our Controller requires a FooService to obtain a Foo that it may deliver to the user, as seen below:
public class FooController
{
public IActionResult Index()
{
var fooService = new FooService(new BarService(), new BazService());
return View(fooService.GetFoo());
}
}
The problem is that our Controller requires specifics on how to establish a FooService. That implies we'll have to repeat that reasoning every time a FooService is required.
Dependency Injection is a built-in feature of ASP.NET 5 MVC 6. As a result, you may indicate the dependence in the constructor. The ASP.NET 5 framework would then submit it on our behalf.
Incorrect usage of the Var keyword
The misuse and abuse of the var
keyword is a common and fundamental problem. The true function of var is to allow us to declare a local variable when you don't know what type it is. This is frequently the case with anonymous types because you don't know what the type name is until compile time.
Nonetheless, some programmers use var
every time they define a variable. The type name in a local variable declaration adds another layer of description:
// let's say you have a static method called GetProducts()
// that returns System.Data.DataTable
var products = GetProducts(ModelTypes.Subscription);
// how is it clear to the reader that I can do this?
return products.Compute("MAX(Price)", String.Empty);
3 Security Mistakes made in ASP.NET 💻
Storing Secrets inside Web.config
This stems from the desire to save time by storing cryptographic keys in a web.config
file. Here's an example:
<appSettings>
<add key="AWS" value="someSecret" />
<add key="Database" value="someKey" />
</appSettings>
You should never keep secrets in a web.config file
. Therefore, you must redirect the code to a protected file, as seen below:
<appSettings file="Web.SECRETS.config">
<add key="Database" value="someSecret" />
</appSettings>
Request with Potentially Dangerous Consequences.Form Value
By default, we'll get an error because ASP.NET MVC prevents this sort of code from being sent to the server in order to prevent Cross Site Scripting (XSS) attacks. Here's a fix for an issue that occurs when you try to transmit HTML code to a server.
As demonstrated below, you may deactivate ASP.NET MVC validation for a specific field by using the AllowHtml attribute for the model class.
public class ProductModel
{
[Display(Name = "Description:")]
[AllowHtml]
public string Description { get; set; }
}
Not using to the client an XSRF token
Cross-site request forgeries are prevented via XRSF tokens. You must utilize them whenever the browser can implicitly authenticate the user. This covers programs that use Windows authentication or use automated authentication using cookies.
Let's see an example:
[Route("api/[controller]")]
public class SecurityController : Controller
{
private readonly IAntiforgery _antiforgery;
public SecurityController(IAntiforgery antiforgery)
{
_antiforgery = antiforgery;
}
[HttpGet]
public IActionResult Get()
{
var tokens = _antiforgery.GetAndStoreTokens(HttpContext);
return new ObjectResult(new {
token = tokens.RequestToken,
tokenName = tokens.HeaderName
});
}
}
ASP.NET is a web development framework that can be either open-source or commercial. ASP.NET is used to create web pages, web applications, and XML Web Services.
Security is a major issue for many of the ASP.NET applications today because of the common vulnerabilities of SQL injection and Cross-site scripting (XSS).
Although it is difficult for a developer to make an error-free software product, these common security errors mentioned above can be easily avoided when developing ASP.NET applications.
Posted on November 19, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.