Security issues relating to submitting href links and text:

  • Thread starter Thread starter Chipmunk
  • Start date Start date
C

Chipmunk

I am currently developing a website (ASP.NET) which allows users to
submit a web form containing a href link in one field and descriptive text
in another field. The records will stored to varchar columns in a SQL Server
2000 database and hosted by a 3rd party ISP. The list of links will then be
made available to other users.
What general security precautions should be taken when developing a
website of this nature? Specifically, I am concerned about the possibility
of malicious SQL or ASP script insertion and it's impact on the web or
database server. I am already using client and server side validation to
restrict the description field to alpha-numeric characters, period and
spaces.
 
Cross-site scripting vulnerabilities for starters...

Think about exploits that come out for Internet Explorer that rely on
carefully crafted malicious URLs. Someone could submit one of those into
your system. Alternatively, they might submit a link that grabs cookies for
your domain, and redirects them to a site of the user's choosing. Etc

Check out the OWASP website (www.owasp.org) for more information on securing
web applications.
Microsoft also as a book you can download from MSDN on building secure
ASP.Net applications. Get that as well.

Cheers
Ken

: I am currently developing a website (ASP.NET) which allows users to
: submit a web form containing a href link in one field and descriptive text
: in another field. The records will stored to varchar columns in a SQL
Server
: 2000 database and hosted by a 3rd party ISP. The list of links will then
be
: made available to other users.
: What general security precautions should be taken when developing a
: website of this nature? Specifically, I am concerned about the possibility
: of malicious SQL or ASP script insertion and it's impact on the web or
: database server. I am already using client and server side validation to
: restrict the description field to alpha-numeric characters, period and
: spaces.
:
:
 
Please do not cross-post to so many newsgroups.

Regular expressions are your friends-- use them wisely. You'll want to
ensure that the data entered matches the formats you expect (easy for URLs,
harder for "descriptive text"). See http://www.devx.com/vb2themax/Tip/19510
for instance.

--
Thanks,

Eric Lawrence
Program Manager
Assistance and Worldwide Services

This posting is provided "AS IS" with no warranties, and confers no rights.
 
Back
Top