ASP.NET Security Vulnerability as a reminder when working within frameworks

If you develop web sites or applications using ASP.NET then no doubt you’ve already heard about the recently announced ASP.NET Security Vulnerability. If not, then go read about it!

Auditing servers using the VBS script supplied by Microsoft to check for vulnerable applications was a great reminder of why it’s a good idea to use functionality provided out of the box whenever possible when working with frameworks, rather than roll your own solution for things like error pages and redirection. Most of the applications I’ve seen so far which were at risk were those where the developers hadn’t used the customErrors functionality, and had instead decided to reinvent the wheel and write something themselves.

Handling errors something that you might not associate with being a high security risk, however in this case the scenario is similar to spending time creating your own authentication mechanism (which is one of the OWASP Top 10 Security Risks for web applications) - why spend time writing something which is offered out of the box already? If you’re going to do that then you’d better have a really good reason to do so, and be smart enough to ensure you’re doing a better job than the options that Microsoft give you inside the framework.


Posted on Sunday, September 19, 2010 9:14 PM |

Like this? Share it!

No comments posted yet.

Post a comment
Please add 2 and 7 and type the answer here:
Remember me?
Ensure the word in this box says 'orange':