Understanding the Security Vectors in a Web Application

So far, this chapter has focused on using security features to control access to areas in your site. Many developers see this — making sure that the right usernames and passwords map to the correct sections of their web application — as the extent of their involvement in web application security.

However, if you'll remember, the chapter began with dire warnings about how your applications will need security features that do nothing but prevent misuse. When your web application is exposed to public users — especially the enormous, anonymous public Internet — it is vulnerable to a variety of attacks. Since web applications run on standard, text-based protocols like HTTP and HTML, they are especially vulnerable to automated attacks as well.

So, let's shift focus to seeing how hackers will try to misuse your applications, and how you can beat them.

Threat: Cross-Site Scripting

Let's start with a look at one of the most common attacks: cross-site scripting (XSS). This section discusses XSS, what it means to you, and how to prevent it.

Threat Summary

You have allowed this attack before, and maybe you just got lucky and no one walked through the unlocked door of your bank vault. Even if you're the most zealous security nut, you've let this one slip. It's unfortunate because XSS is the number one security vulnerability on the Web, and it's largely because of web developers unfamiliar with the risks.

XSS can be carried out in one of ...

Get Professional ASP.NET MVC 4 now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.