Microsoft Interview Question
Software Engineer / DevelopersTake a step back and perform threat modelling for the web application to find out the threats/attack surface/end points, Then, start by mitigating risks with each input source, eg:-
User Input:
- Bound Checking.
- Output encoding to avoid XSS.
- Never use blacklist to prevent XSS.
- Never trust session identifiers from user, treat them as any other input from the user and perform validation on the session identifiers.
- Update the session identifier on user state change to prevent session fixation.
- Perform query string filteration to avoid XSS.
- Use nonce in all the web pages generated by the web server to avoid CSRF.
- Always check HTTP REFERRER header to make decisions about valid and forged requests.
- Set session cookies in a secure manner [isSecure, httpOnly, isSession]
- Always use no-cache, no-store META information for pages which shouldn't be cached by browser.
- Use ORM or parameterized queries to avoid blind sql injection.
- Use custom exception handling for sql error's to prevent information leakage.
The list is just a start and there are many more considerations to security.
always use paramiterized querys to avoid sql injection
- jagdish December 16, 2011