Potential Security Issues

Mar 8, 2008 at 3:14 PM
I thought I'd start a thread for people to post potential and active security issues with the My Web Pages Starter Kit.

It might be helpful to post the version number of the starter kit you are using as well.
Mar 8, 2008 at 3:15 PM
Edited Mar 8, 2008 at 3:15 PM

validateRequest=false


Just to make people aware really. The default request validation provided by .NET is disabled in the "My Web Pages Starter Kit"... erk! You'll notice it says "validateRequest=false" at the top of your .aspx pages in the root directory.

That's not a problem if you leave the code for this project as is but if you modify it / make your own controls that accept user input you MUST make sure you check the input for script attacks (or at least htmlencode any input for later storage) otherwise you may be leaving your site open to various malicious scripting attacks.

More info for those who need it: http://www.asp.net/learn/whitepapers/request-validation/

Owen.
Mar 8, 2008 at 3:23 PM
Edited Mar 8, 2008 at 3:24 PM
.