DEV Community

Cover image for 3+3 ASP.NET Mistakes (+ How to avoid them)
Dotnetsafer
Dotnetsafer

Posted on

3+3 ASP.NET Mistakes (+ How to avoid them)

The internet is a dangerous place, hackers are always looking for new ways to break into your system and steal your data. 

As a developer, you know how important it is to protect your application. If your app is hacked, it can be a big problem for you and your customers. With the increase in internet security breaches and cyber attacks, protecting your app has never been more essential. 

To help prevent potential threats, I'm going to share some mistakes and how to avoid them to help you better protect your ASP.NET applications.

The 3+3 is that I am going to explain 3 common simple ones and 3 security ones. Let's start with the most common ones


3 Common Mistakes made in ASP.NET 📚

ToLower() in LINQ Query Doesn't Work

The ToLower function returns a lowercased duplicate of a string. When you try to compare numbers from multiple sources, though, this might result in a perplexing error. Consider the following example:

list = (from ds in dbContext.dotnetsaferServices
             join c in dbContext.customer on ds.customerName equals c.customerName)
              where  (ds.shield.number.ToLower().Contains(productLicense.ShieldNumber.ToLower()))
Enter fullscreen mode Exit fullscreen mode

One approach is use IndexOf only with case-insensitive OrdinalIgnireCase attribute within the query instead of .ToLower:

list = (from ds in dbContext.dotnetsaferServices
join c in dbContext.customer on ds.customerName equals c.customerName)
Where (ds.shield.number.IndexOf(productLicense.ShieldNumber, StringComparison.OrdinalIgnoreCase) != -1))
Enter fullscreen mode Exit fullscreen mode

Not Making Use of Dependency Injection

Assume our Controller requires a FooService to obtain a Foo that it may deliver to the user, as seen below:

public class FooController
{
    public IActionResult Index()
    {
        var fooService = new FooService(new BarService(), new BazService());
        return View(fooService.GetFoo());
    }
}
Enter fullscreen mode Exit fullscreen mode

The problem is that our Controller requires specifics on how to establish a FooService. That implies we'll have to repeat that reasoning every time a FooService is required.

Dependency Injection is a built-in feature of ASP.NET 5 MVC 6. As a result, you may indicate the dependence in the constructor. The ASP.NET 5 framework would then submit it on our behalf.


Incorrect usage of the Var keyword

The misuse and abuse of the var keyword is a common and fundamental problem. The true function of var is to allow us to declare a local variable when you don't know what type it is. This is frequently the case with anonymous types because you don't know what the type name is until compile time.

Nonetheless, some programmers use var every time they define a variable. The type name in a local variable declaration adds another layer of description:

// let's say you have a static method called GetProducts()
// that returns System.Data.DataTable
var products = GetProducts(ModelTypes.Subscription);

// how is it clear to the reader that I can do this?
return products.Compute("MAX(Price)", String.Empty);
Enter fullscreen mode Exit fullscreen mode

3 Security Mistakes made in ASP.NET 💻

Storing Secrets inside Web.config

This stems from the desire to save time by storing cryptographic keys in a web.config file. Here's an example:

<appSettings>
<add key="AWS" value="someSecret" />
<add key="Database" value="someKey" />
</appSettings>
Enter fullscreen mode Exit fullscreen mode

You should never keep secrets in a web.config file. Therefore, you must redirect the code to a protected file, as seen below:

<appSettings file="Web.SECRETS.config">
<add key="Database" value="someSecret" />
</appSettings>
Enter fullscreen mode Exit fullscreen mode

Request with Potentially Dangerous Consequences.Form Value

By default, we'll get an error because ASP.NET MVC prevents this sort of code from being sent to the server in order to prevent Cross Site Scripting (XSS) attacks. Here's a fix for an issue that occurs when you try to transmit HTML code to a server.

As demonstrated below, you may deactivate ASP.NET MVC validation for a specific field by using the AllowHtml attribute for the model class.

public class ProductModel
{
    [Display(Name = "Description:")]
    [AllowHtml]
    public string Description { get; set; }
}
Enter fullscreen mode Exit fullscreen mode

Not using to the client an XSRF token

Cross-site request forgeries are prevented via XRSF tokens. You must utilize them whenever the browser can implicitly authenticate the user. This covers programs that use Windows authentication or use automated authentication using cookies.

Let's see an example:

[Route("api/[controller]")]
public class SecurityController : Controller
{
    private readonly IAntiforgery _antiforgery;

    public SecurityController(IAntiforgery antiforgery)
    {
        _antiforgery = antiforgery;
    }

   [HttpGet]
    public IActionResult Get()
    {
        var tokens = _antiforgery.GetAndStoreTokens(HttpContext);

        return new ObjectResult(new {
            token = tokens.RequestToken,
            tokenName = tokens.HeaderName
        });
    }
}
Enter fullscreen mode Exit fullscreen mode

ASP.NET is a web development framework that can be either open-source or commercial. ASP.NET is used to create web pages, web applications, and XML Web Services.

Security is a major issue for many of the ASP.NET applications today because of the common vulnerabilities of SQL injection and Cross-site scripting (XSS).

Although it is difficult for a developer to make an error-free software product, these common security errors mentioned above can be easily avoided when developing ASP.NET applications.

Discussion (1)

Collapse
sharpninja profile image
The Sharp Ninja

I don't understand how any dotnet developer ever allows sql injection. From day 1, ADO.Net has supported parameterized queries. There is never, ever, an excuse to place a value into a Sql string.