asp.net 安全(2)--QueryString，session,event

1、在使用querystring的时候，不要使用自动增长的作为依据如以下

  ？XXX=001 xxx=002 

2、GUID 并不能很好的解决这个问题 

3、不要再hidden field放重要信息

4、http://www.codeplex.com/AntiCSRF  使用这个组件来anti CSRF

5、net的事件验证  

 Event validation is the default behavior for ASP.NET. When validation is enabled, controls that render 

(which excludes those controls that are not visible) will register themselves with event validation. 

When a postback occurs, ASP.NET looks through the registered events to discover if the control 

that would receive the event has been registered. 

 不能依靠事件验证

Event validation should be part of your defense in depth strategy. However, it should not be your 

sole defense. Because it is up to controls to register for event validation, it is possible that a third - 

party control (or, indeed, one of your own custom controls) may not register for event validation

 如果某些动态控件请使用 

 RegisterForEventValidation 

 

 ?    Never change state via a    GET    request.     —  The HTTP specifi cations state that  GET requests 

must not change state. 

?    Do not use direct, sequential object references.     —  Always use indirect object references 

(such as a GUID) to refer to resources on a Web server. Direct object references can be 

changed easily to allow attackers to access objects they should not be able to see. Check that 

the current user is authorized to see the object requested. 

?    Do not use hidden form fi elds to hold sensitive information, unless they are properly pro-

tected.     —  Remember that form fi elds (and query strings) can be manipulated by attackers. 

?    Add a CSRF token to your forms.     —  This will allow you to check that the request came 

from your own Web site. 

?    Check the Request type when checking if a request is a postback.     —  This will protect you 

from ASP.NET considering query string -driven requests as potential postbacks. 

?    Do not disable event validation, but do not rely on it.     —  Registering for event validation is 

optional for controls. Always check conditions within postback events. 

?    Do not rely on  Request    headers.     —  Combine the steps outlined in this chapter with the 

validation checklist provided in Chapter 3.