To accompany WebsiteSpark (do MS have an internal app called SparkSpark which creates these programmes?) seven Web Application Toolkits have been released. Dinis Cruz asked on twitter if anyone had some spare time to look at them from a security perspective. I was bored, and needed a break from editing the book (that’s right folks it’s nearly done), so I thought I’d download one. I chose the FAQ toolkit (because I need to do something with the securingasp.net domain at some point).
Fired up Visual Studio, took a quick look at the code.
- It’s ASP.NET MVC based.
- Appropriate use of HTML Encoding for both text and attributes. Some things aren’t encoded like dates from the data model, which aren’t strictly necessary, but encoding everything does no harm and should be standard practice.
- It uses Linq2SQL – side note “Dear EF team, No-one likes you. You smell funny”
- When creating a list screen the FAQ answers will get chopped to the first X characters. Tags that get caught in this aren’t closed, so you could end up with half an <a href= and the bits of the page won’t be displayed.
- No role based security.
- You can vote on items multiple times as you can’t register an ordinary user.
- No CSRF protection on any forms.
- Admin users can create any response they want – no stripping of bad or unsafe HTML. Which wouldn’t be so bad, you would hopefully trust your admin users …
- The admin login page has a link to register a user. Which creates a new user. And as there is no role based security the new user is … an administrator.
Now reading the announcement for the templates perhaps MS view these things as plugins to your existing site, so you could make the argument that the people that use them already have security configured and know how to think about it. That’s great for you if you;re one of those people, but samples get examined and used by people who want to learn and by people that don’t want to learn at all and just want something that works, people who don’t know security. Worse still is the assumption by a lot of people that samples that from Microsoft are “the right way to do things”. Even out of work hours projects by Microsoft stuff get labelled like this as Rob Conery found out with his MVC Store Front series and the Oxite team also discovered. However it appears that the Web Application Toolkits are official projects.
Now maybe the other toolkits are better, maybe I’m being as unfair to that team as the ALT.NET folks were to Rob and the Oxite folks, but wearing my security hat I think this is pretty damned poor. I’ve only spent 10 minutes looking, I’m scared to do any in depth analysis now.
(Oh and if you’re in the UK and interested in WebsiteSpark remember you need to be nominated, so talk to Phil Winstanley, as Pixel Programming is a WebsiteSpark partner as well as being a BizSpark Partner).