Thursday, April 10, 2008

Code Review Checks

Check That Output Is Encoded

While not a replacement for checking that input is well-formed and correct, you should check that HtmlEncode is used to encode HTML output that includes any type of input. Also check that UrlEncode is used to encode URL strings. Input data can come from query strings, form fields, cookies, HTTP headers, and input read from a database, particularly if the database is shared by other applications. By encoding the data, you prevent the browser from treating the HTML as executable script.

Example for url encoding
String MyURL;
MyURL = "http://www.contoso.com/articles.aspx?title=" + Server.UrlEncode("ASP.NET Examples");

Response.Write(" + MyURL + "> ASP.NET Examples ");

Check for Correct Character Encoding

To help prevent attackers using canonicalization and multi-byte escape sequences to trick your input validation routines, check that the character encoding is set correctly to limit the way in which input can be represented.

Check that the application Web.config file has set the requestEncoding and responseEncoding attributes configured by the element as shown below.



  
             requestEncoding="ISO-8859-1"
        responseEncoding="ISO-8859-1"/>


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)