ASP.NET MVC security checklist

February 7, 2010 19:43

There are tons of good papers[1] and a bunch of questions on StackOverflow[2] about designing and developing for security, but all of them seem to concentrate on what you should do.

However, recently I was after something different: a
"visit a page, try this and that" kind of things, you know. A list of simple actions one should to go through once development is done, to make sure the solution is secure.

Here's something I've come up with so far:

Security Blackbox Checklist.

  • Submit incorrect/malicious data to make sure that input is validated for type, length, format and range by javascript.

  • Turn off client-side validation and repeat the step above, to make sure that (a) you also validate on the server, (b) input is validated on the server for type, length, format, and range, (c) free form input is sanitized, (d) output that includes input is encoded with HtmlEncode and UrlEncode.

  • Insert extremely large amount of data in the query string as per to make sure you constrain inputs and do boundary checks.

  • Visit a POST action via GET, to make sure that "form submit" actions are restricted to be POST-only.

  • If applicable, upload a file of incorrect size/format (huge file, empty file, executable with renamed extension, etc) to make sure uploads are handled gracefully.

  • Access the URL as a user without correct permissions, to make sure permissions are explicitly tested via action/controller attributes.

  • Access the URL providing non-existing details (like non-existing product ids, items you don't have access to, etc) to make sure a correct error (404 or 403 etc) is returned.

  • Access the sensitive page via HTTP, to make sure it's available via HTTPS only.

Security Whitebox Checklist.

  • In debug mode, break the code so that it throws an exception, to make sure it fails securely. Make sure you catch exceptions and log detailed messages but do not leak information to the client.

  • Make sure MVC actions are restricted on POST/GET only, or particular user role, etc.

  • Ensure that absolute URLs are used for navigation.

  • Make sure POST actions are accompanied with [ValidateAntiForgeryToken] attribute to prevent XSRF attacks.

  • Make sure Response.Write (either directly or indirectly) is never used to display user input.

  • Make sure sensitive data is not passed in query strings or form fields.

  • Make sure your security decisions do not rely on HTTP headers info.

  • Make sure you don't leak security information in robots.txt.

Comments? Corrections? Missing steps?
kick it on


  1. Check out Improving Web Application Security or Developer Highway Code ebooks from Microsoft.
  2. Well, check out 'em all!


Comments are closed