O'Reilly logo

Professional ASP.NET MVC 4 by Scott Hanselman, K. Scott Allen, Brad Wilson, Phil Haack, Jon Galloway

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Understanding the Security Vectors in a Web Application

So far, this chapter has focused on using security features to control access to areas in your site. Many developers see this — making sure that the right usernames and passwords map to the correct sections of their web application — as the extent of their involvement in web application security.

However, if you'll remember, the chapter began with dire warnings about how your applications will need security features that do nothing but prevent misuse. When your web application is exposed to public users — especially the enormous, anonymous public Internet — it is vulnerable to a variety of attacks. Since web applications run on standard, text-based protocols like HTTP and HTML, they are especially vulnerable to automated attacks as well.

So, let's shift focus to seeing how hackers will try to misuse your applications, and how you can beat them.

Threat: Cross-Site Scripting

Let's start with a look at one of the most common attacks: cross-site scripting (XSS). This section discusses XSS, what it means to you, and how to prevent it.

Threat Summary

You have allowed this attack before, and maybe you just got lucky and no one walked through the unlocked door of your bank vault. Even if you're the most zealous security nut, you've let this one slip. It's unfortunate because XSS is the number one security vulnerability on the Web, and it's largely because of web developers unfamiliar with the risks.

XSS can be carried out in one of ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required