Check | Description |
---|---|
| User input is validated for type, length, format, and range. Input is checked for known valid and safe data and then for malicious, dangerous data. |
| String form field input is validated using regular expressions (for example, by the RegularExpressionValidator control.) |
| Regular HTML controls, query strings, cookies, and other forms of input are validated using the Regex class and/or your custom validation code. |
| The RequiredFieldValidator control is used where data must be entered. |
| Range checks in server controls are checked by RangeValidator controls. |
| Free form input is sanitized to clean malicious data. |
| Input file names are well formed and are verifiably valid within the application context. |
| Output that includes input is encoded with HtmlEncode and UrlEncode. |
| MapPath restricts cross-application mapping where appropriate. |
| Character encoding is set by the server (ISO-8859-1 is recommended). |
| The ASP.NET version 1.1 validateRequest option is enabled. |
| URLScan is installed on the Web server. |
| The HttpOnly cookie option is used for defense in depth to help prevent cross-site scripting. (This applies to Internet Explorer 6.1 or later.) |
| SQL parameters are used in data access code to validate length and type of data and to help prevent SQL injection. |
Check | Description |
---|---|
| Site is partitioned to restricted areas and public areas. |
| Absolute URLs are used for navigation where the site is partitioned with secure and non-secure folders. |
| Secure Sockets Layer (SSL) is used to protect credentials and authentication cookies. |
| The slidingExpiration attribute is set to "false" and limited authentication cookie time-outs are used where the cookie is not protected by using SSL. |
| The forms authentication cookie is restricted to HTTPS connections by using the requireSSL attribute or the Secure cookie property. |
| The authentication cookie is encrypted and integrity checked (protection="All"). |
| Authentication cookies are not persisted . |
| Application cookies have unique path / name combinations. |
| Personalization cookies are separate from authentication cookies. |
| Passwords are not stored directly in the user store; password digests with salt are stored instead. |
| The impersonation credentials (if using a fixed identity) are encrypted in the configuration file by using Aspnet_setreg.exe. |
| Strong password policies are implemented for authentication. |
| The <credentials> element is not used inside <forms> element for Forms authentication (use it for testing only). |
Check | Description |
---|---|
| URL authorization is used for page and directory access control. |
| File authorization is used with Windows authentication. |
| Principal permission demands are used to secure access to classes and members . |
| Explicit role checks are used if fine-grained authorization is required. |
Check | Description |
---|---|
| Configuration file retrieval is blocked by using HttpForbiddenHandler . |
| A least-privileged account is used to run ASP.NET. |
| Custom account credentials (if used) are encrypted on the <processModel> element by using Aspnet_setreg.exe. |
| To enforce machine-wide policy, Web.config settings are locked by using allowOveride="false" in Machine.config. |
Check | Description |
---|---|
| SSL is used to protect sensitive data on the wire. |
| Sensitive data is not passed across pages; it is maintained using server-side state management. |
| Sensitive data is not stored in cookies, hidden form fields, or query strings. |
| Do not cache sensitive data. Output caching is off by default. |
| Plain text passwords are avoided in Web.config and Machine.config files. (Aspnet_setreg.exe is used to encrypt credentials.) |
Check | Description |
---|---|
| The session cookie is protected using SSL on all pages that require authenticated access. |
| The session state service is disabled if not used. |
| The session state service (if used) runs using a least-privileged account. |
| Windows authentication is used to connect to Microsoft SQL Server state database. |
| Access to state data in the SQL Server is restricted. |
| Connection strings are encrypted by using Aspnet_setreg.exe. |
| The communication channel to state store is encrypted (IPSec or SSL). |
Check | Description |
---|---|
| View state is protected using message authentication codes (MACs). |
| Query strings with server secrets are hashed . |
| All input parameters are validated. |
| Page.ViewStateUserKey is used to counter one-click attacks. |
Check | Description |
---|---|
| Structured exception handling is used. |
| Exception details are logged on the server. |
| Generic error pages with harmless messages are returned to the client. |
| Page-level or application-level error handlers are implemented. |
| The application distinguishes between errors and exception conditions. |
Check | Description |
---|---|
| The ASP.NET process is configured to allow new event sources to be created at runtime, or application event sources to be created at installation time. |