Microsoft release seven Web Application Toolkits (and a security problem)

To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point).

Fired up Visual Studio, took a quick look at the code.

Nice surprises

It’s ASP.NET MVC based.
Appropriate use of HTML Encoding for both text and attributes. Some things aren’t encoded like dates from the data model, which aren’t strictly necessary, but encoding everything does no harm and should be standard practice.

Amusing surprises

It uses Linq2SQL – side note “Dear EF team, No-one likes you. You smell funny”

Silly surprises

When creating a list screen the FAQ answers will get chopped to the first X characters. Tags that get caught in this aren’t closed, so you could end up with half an <a href= and the bits of the page won’t be displayed.

Bad surprises.

No role based security.
You can vote on items multiple times as you can’t register an ordinary user.
No CSRF protection on any forms.
Admin users can create any response they want – no stripping of bad or unsafe HTML. Which wouldn’t be so bad, you would hopefully trust your admin users …
The admin login page has a link to register a user. Which creates a new user. And as there is no role based security the new user is … an administrator.

Oh dear.

Now reading the announcement for the templates perhaps MS view these things as plugins to your existing site, so you could make the argument that the people that use them already have security configured and know how to think about it. That’s great for you if you;re one of those people, but samples get examined and used by people who want to learn and by people that don’t want to learn at all and just want something that works, people who don’t know security. Worse still is the assumption by a lot of people that samples that from Microsoft are “the right way to do things”. Even out of work hours projects by Microsoft stuff get labelled like this as Rob Conery found out with his MVC Store Front series and the Oxite team also discovered. However it appears that the Web Application Toolkits are official projects.

Now maybe the other toolkits are better, maybe I’m being as unfair to that team as the ALT.NET folks were to Rob and the Oxite folks, but wearing my security hat I think this is pretty damned poor. I’ve only spent 10 minutes looking, I’m scared to do any in depth analysis now.

(Oh and if you’re in the UK and interested in WebsiteSpark remember you need to be nominated, so talk to Phil Winstanley, as Pixel Programming is a WebsiteSpark partner as well as being a BizSpark Partner).

Technorati Tags: Web Application Toolkits,ASP.NET,ASP.NET MVC

Saturday, September 26, 2009 11:09 AM

Your Reply.

Comment Form.

Fields denoted with a "*" are required.

*Your name:

*Subject:

You may also like to leave your email or website.

*Your message:

Please add 8 and 1 and type the answer here:

Enter the code shown above:

Jump Menu

So what are all these buttons for?

Personalize

Text Size

Layout

Navigation Position

idunno.org

now with extra subtext goodness

Microsoft release seven Web Application Toolkits (and a security problem)

Your Comments.

Your Reply.

Preview Your Comment.

Buy My Book

News

Tag Cloud

Article Categories

Archives

Post Categories

Syndicate

Shiny Badge Things