![[1/8] Become a Full Stack .NET Developer: Preventing Common Web Application Vulnerabilities](https://images.squarespace-cdn.com/content/v1/57003f6c9f72667cfc92008b/1488592261126-YSM1B82MAITSD2NN4FDC/maxresdefault.jpg)
[1/8] Become a Full Stack .NET Developer: Preventing Common Web Application Vulnerabilities
In this module, the focus became more theory heavy as we discussed the three most common web application security vulnerabilities that every web developer should be aware of. We then proceeded to examine if these vulnerabilities were present in how we had implemented our GigHub application so far, so if necessary we could correct them.
The three security vulnerabilities discussed were:
SQL Injection - Allows an attacker to execute malicious SQL statements in your application. This occurs when SQL statements are generated at runtime based on the input to the application. The solution for SQL Injection is to use parameterized queries at runtime instead of string concatenation. In the context of GigHub, we fortunately do not have this vulnerability as thanks to Entity Framework we are not generating SQL statements at runtime.
XSS - Cross Site Scripting allows an attacker to execute malicious script on the victim's computer such as stealing their cookies or hijacking their user session. This is done by inserting malicious Javascript into a reputable website or forum. The way to prevent this is to escape any <script> tags, which tells the browser to treat any Javasript code as a string and not executable code. In the context of GigHub, we fortunately do not have this vulnerability as thanks to RazorViews (within ASP.NET), a protection mechanism is automatically included to prevent XSS without us needing to worry about it.
Code for preventing CRSF.
CRSF - A Cross Site Request Forgery allows and attacker to perform actions on behalf of a user without their knowledge. Unlike XSS, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In the context of GigHub, CRSF is possible. An attacker could use this technique to create fake gigs on behalf of an artist without their knowledge. The implementation to prevent CRSF is already there in ASP.NET, we just need to manually enter a AntiForgeryToken() method into our forms and then decorate the target action with the [ValidateAntiForgeryToken] Data Annotation.
![[1/10] Become a Full Stack .NET Developer: Usability Best Practices](https://images.squarespace-cdn.com/content/v1/57003f6c9f72667cfc92008b/1488658973877-5VUZYRNAPMP2TCTLZV4K/maxresdefault.jpg)
![[1/6] Become a Full Stack .NET Developer: Saving Data](https://images.squarespace-cdn.com/content/v1/57003f6c9f72667cfc92008b/1481645279237-2DSH4SN6KWRC4W6X7SS9/maxresdefault.jpg)
![[1/7] Become a Full Stack .NET Developer: Implementing Validation](https://images.squarespace-cdn.com/content/v1/57003f6c9f72667cfc92008b/1488560357148-07JGS49GRDO1D3THG7BT/maxresdefault.jpg)
![[1/9] Become a Full Stack .NET Developer: Moving Towards a Beautiful Design](https://images.squarespace-cdn.com/content/v1/57003f6c9f72667cfc92008b/1489077139815-R9QLFP9616DPDTQR6LKX/maxresdefault.jpg)