MVC 5 security measures

Question

I am developing a MVC 5 internet application and have some questions in relation to security.

What security measures do I need to manually implement to ensure that my internet application is secure?

This is what I have so far:

• [ValidateAntiForgeryToken] attributes on each HttpPost function
• Sanitizer.GetSafeHtml function on a model attribute that has HTML data
• Identity 2.1 for authentication and authorization

Thanks in advance.

UPDATE

The application is a simple MVC internet application with a web service hosted on Azure. I am using Entity Framework 6, Web API 2.0 and MVC 5. What relevant information can I give you?

Answer 1

That would cover you for XSRF and Stored XSS. You should also check for:

• DOM XSS in javascript (when modifying the DOM using data from query string for example).
• JSON hijacking
• code injection (SQL injection if you are using a SQL DB for example)
• enforce HTTPS for login (both login form and login post)
• ... etc ...

The most common vulnerabilities are not technical bugs, for example you should:

• Reduce the data you trust from the client. For example, if you have a shopping cart, it may look like a good idea to put the price as a hidden field in the buying form, so the server does not need to go to the DB to get the price for that product, but then the user may tamper the form and buy at $0, or even -$100.

• Check that the user cannot fool multi-step forms, that for example allow him to order products without going through the payment page.

• Check that if your application returns files by name, cannot do something like http://example.com/Home/GetFile?filename=..\..\Web.config.

• Check that you are enforcing authorization BESIDES authentication. For example, a user 123 may be authenticated, but not authorized to check user 456 profile.

• ... etc ...

The best thing to do, is check the OSWASP page : https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project