|Important||This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer|
Securing Standard Controls
The ASP.NET standard controls are a group of controls that enable you to create forms in which users can type or select information before a page is posted back to the server. Standard controls are Web server controls that inherit from theclass. Examples of Web server controls include the , , and controls. The information in this topic describes configuration and coding best practices that will help you improve the security of standard controls.
While following coding and configuration best practices can help improve the security of your application, it is also important that you continually keep your application server up to date with the latest security updates for Microsoft Windows and Internet Information Services (IIS), as well as any security updates for Microsoft SQL Server or other data sources.
More detailed information about best practices for writing secure code and securing applications can be found in the book "Writing Secure Code" by Michael Howard and David LeBlanc, or through the guidance provided by Microsoft Patterns and Practices.
Information about special security practices for other types of controls is also available in the following topics:
The AdRotator control displays advertisements defined in an advertisement file, which by default is an XML file. Alternatively, you can store advertisements in a database and extract them programmatically. To help secure the AdRotator control, follow these guidelines:
If you are using an XML file to store advertisement information, place the file in the Web site's App_Data folder, because the contents of the folder will not be served in response to Web requests.
For extra protection, do not use the .xml file name extension on advertisement files. Instead, use an extension such as .ads, and then map the .ads extension to ASP.NET in IIS and to the forbidden handler in ASP.NET using the following element in the site's Web.config file:
<httpHandlers> <add verb="*" path="*.ads" type="System.Web.HttpForbiddenHandler" /> </httpHandlers>
For information on how to map a file name extension to ASP.NET in IIS, see.
Set appropriate permissions (typically read-only) for the user account or accounts that will be reading the advertisement file. If the Web site supports anonymous access, this is usually the local ASPNET user account or the NETWORK SERVICE account.
If the advertisement file does not exist, the AdRotator control raises an error that displays the path and name of the file, which reveals potentially sensitive information. Avoid this problem by following proper error-handling techniques, including setting the customErrors element in the configuration file to redirect to a custom error page and creating a global error handler that is called if an unhandled exception occurs anywhere in the application. For details, see .
If you are reading advertisement information from a database, follow the guidelines for securing access to the database. For details, see.
Carefully examine any advertisement information that you get from an untrusted source before using it with the AdRotator control. Because the AdRotator control does not perform any validation or check the information it reads from the advertisement file, it renders images and URLs to the Web page exactly as they appear in the ad file or database.
BulletedList, CheckBoxList, RadioButtonList, DropDownList, ListBox
The, , , , and controls render different types of HTML elements (ul, input, and select) based on the contents of collections or on data in a database. To help secure these controls, follow these guidelines:
If the controls read from a database, follow the guidelines for securing access to the database. For details, see.
If you are unsure whether the information to be displayed contains script or other markup, handle the control'sevent and HTML-encode the information before displaying it. For details, see .
If the BulletedList control is configured to display graphics or hyperlinks, make sure that the URL for the graphic or link points to a trusted location.
Thecontrol renders controls to enable navigation in the calendar. LinkButton controls use client script to perform a postback. If a browser has turned off client script for security purposes, the Calendar control will not support navigation.
You can always use the Calendar control to display dates, even if you are not using it to enable date navigation. Do not assume that any selected dates in a Calendar control are formatted correctly. When converting dates from the Calendar control to an internalformat, be sure to use appropriate error handling in case the date is not in the correct format.
Thecontrol enables users to upload a file from their computer to the Web server computer. To help secure the FileUpload control, follow these guidelines:
Do not trust files that are uploaded by users; malicious users might try to upload executable files. When you save an uploaded file, check its file name extension or assign your own extension to the file.
Do not allow users to specify an arbitrary path for the location to save the uploaded file. Check that the name of the file does not contain path information that you have not added yourself.
Do not reveal the internal structure of your Web site to users who are uploading files.
Set read/write permissions for the user account or accounts that will be running the application on the folder or folders where the uploaded files will be saved. If the Web site supports anonymous access, this is generally the local ASPNET user account or the NETWORK SERVICE account. However, limit read/write permissions to only the folder or folders where the application stores uploaded files.
Guard against denial-of-service attacks by setting the maxRequestLength attribute of the httpRuntime element in the configuration file. By default, the maximum request length is 4 megabytes (MB). Other configuration settings that can affect the size of uploaded files are the requestLengthDiskThreshold attribute of the httpRuntime element and the memoryLimit attribute of the processModel element.
Determine the size of the uploaded file by querying theproperty of the object returned by the control, and use the size to decide whether to accept the file.
Thecontrol provides you with a way to set the contents of HTML <input type="hidden"> elements in server code. Hidden fields are used to store information in the page that is useful during page processing but should not be seen by users. To help secure the HiddenField control, follow these guidelines:
Do not store sensitive information in HiddenField controls. Although the information is not visible in the browser, it is part of the page and users can easily view it in the page's source.
Do not trust information in hidden fields. Malicious users can tamper with the content of hidden fields.
Thecontrol renders a URL to the browser. Be sure that the URL points to a trusted location.
Image and ImageMap Controls
To display graphics, the Image andcontrols render a URL to the browser. Be sure that the URL points to a trusted location.
Thecontrol renders an image (img element) that uses client script to perform a postback. If a browser has turned off client script for security purposes, the control will not function.
To display the graphic, the control renders a URL to the browser. Be sure that the URL points to a trusted location.
Label and Literal Controls
Theand controls display text on the page by passing it through to the browser as-is. (The Label control additionally enables you to specify formatting.) If the text contains HTML markup, by default the browser will interpret the markup and render the text accordingly, which might include running scripts.
If you are using the Label control and are unsure whether the text might contain malicious content, use HTML encoding to convert the HTML to its text representation. For details, see.
If you are using the Literal control and are unsure whether the text might contain malicious content, do one of the following:
Set the control'sproperty to , which automatically encodes HTML content.
Use HTML encoding to convert the HTML to its text representation. For details, see.
For more information, see.
The LinkButton control renders a link (a element) that uses client script to perform a postback. If a browser has turned off client script for security purposes, the control will not function.
Thecontrol enables you to add multiple controls and display them conditionally. This gives you the ability to create pages that look like multi-page forms.
If you switch views based on something that can be easily tampered with, such as a URL query string, you could enable someone to see a view that they are not supposed to see. Therefore, be sure that the mechanisms for switching views are as secure as possible. For more information, see.
Because the TextBox control allows users to enter almost any text into the page, you must be careful when accepting user input with this control. To help secure the TextBox control, follow these guidelines:
Use validation controls whenever possible to limit the users' input to acceptable values. For details, see.
Ensure that theproperty is set to true before running your server code.
Use redundant server validation. This is especially true forcontrols; do not create only client-side validation logic.
Set the TextBox control'sproperty to limit the quantity of text that users can enter. Malicious users can affect the performance of your application and potentially cause database errors by sending huge quantities of information in a text box.
Encode user input with themethod, which turns HTML into its text representation (for example,
<b>), and which helps prevent the HTML from being executed in a browser. For details, see .
Set theproperty to to prevent the contents of the text box from being viewed in the text box (by displaying dots). Note that setting the TextMode property to Password provides no other protection; the contents of the text box are not encrypted or otherwise obfuscated, and the information is sent to the server as clear text. Therefore, when using Password, provide additional methods for ensuring that data is secured.
If you are collecting sensitive information, such as a password or credit card number, use Secure Sockets Layer (SSL) to secure communication between the client and server. This applies to any use of TextBox controls, including controls that incorporate TextBox controls, such as thecontrol.
Thecontrol enables you to create multi-step entry forms. Be aware of the following security considerations when using the Wizard control:
The Wizard does not inherently protect sensitive information. If you are collecting sensitive data in the wizard, use SSL to secure communication between the client and server for the page containing the Wizard.
To support its functionality, the Wizard control includes a number of non-visible controls. A user can potentially manipulate those controls and their values to display wizard steps out of order or to display wizard steps that should be displayed to only some users. To help prevent this, ensure that wizard steps are displayed in the correct order, and that steps with sensitive information are not displayed unless the correct conditions apply.
Thecontrol displays the contents of an XML file or string containing XML on a page, optionally applying an XML transformation. To help secure the Xml control, follow these guidelines:
When you are displaying the contents of an XML file, if practical, place the XML file in the in your site's App_Data folder because the contents of the folder will not be served in response to Web requests.
Display XML only from trusted sources.
Use transformations only from trusted sources.