Benutzer:MovGP0/ASP.NET Core/XSS

MovGP0

Über mich

Hilfen

Artikel

Weblinks

Literatur

Zitate

Notizen

Programmierung

MSCert

Physik

Programmierung ASP.NET Common OWIN • Razor • WebForms • MVC • WebAPI Core Configuration • Data Protection API • Dependency Injection • Routing Attack Vectors HTTPS • HSTS • HPKP • CSP • CSRF • Anti-XSS • CORS • Open Redirection • Click-Jacking Libraries OpenID • Azure AD

Prevent Cross-Site Scripting

• All inputs must be escaped. Be careful to not render user input as HTML.

XSRF Token Storage Options

	JS Client	Browser
Header	Authorization: Bearer <JWT>	Cookie: token=<JWT>
Transmission	manual coding; works with any CORS domain	automatically sent; not possible across domains
Storage	web storage: accessible only from current subdomain; 5MB limit cookie storage: accessible from subdomains; 4kB limit other options that are available to JavaScript	cookie storage only
MITM	TLS must be managed by code	secure cookie flag forces TLS
XSS	manual coding effort	implicit with HttpOnly cookie flag to prevent JS access
CSRF	—	manual coding effort (double sumit cookie)

Quellen

• Preventing Cross-Site Scripting. In: ASP.NET Core Docs. Microsoft, 14. Oktober 2016, abgerufen am 12. Mai 2017 (englisch). 
• Stefan Achtsnit: Securing Single Page Applications with Token Based Authentication. In: YouTube. WeAreDevelopers, abgerufen am 12. Mai 2017 (englisch). 

|}