Article ID: 867600
This article contains comments, corrections, and information about known errors relating to the Microsoft Patterns & Practices book Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9
Web version of the book is updated as we find the errors. You may find many or all of the errors below already corrected in the web version of the book on MSDN.
The following topics are covered:
Page 273, Chapter 10: Building Secure ASP.NET Pages and Controls, Section: Data-Bound Controls, Complete Section
Data-bound Web controls do not encode output. The only control that encodes output is the TextBox control when its TextMode property is set to MultiLine. If you bind any other control to data that has malicious XSS code, the code will be executed on the client. As a result, if you retrieve data from a database and you cannot be certain that the data is valid (perhaps because it is a database that is shared with other applications), encode the data before you pass it back to the client.
Data bound controls are web controls that are bindable to data components through a public inherited ‘DataSource’ property. To mention a few, you will find DataGrid, ListBox and DropDownList to be used very often. Not all data bound controls perform encoding when displaying data retrieved from a bound data component; thus, it will be your responsibility to perform encoding on non-trusted data components in order to prevent XSS attacks. For example, a data component cannot be trusted in a scenario where different applications share a single database. If an attacker has the ability to insert malicious XSS code into the database (by abusing a vulnerability in one of the applications, for instance) all applications using non-encoding web controls bound to it, will turn vulnerable. Only avoid encoding if you can be certain that the output from the data component will always be valid.
Examples of data bound controls that do not perform encoding are DataGrid, DataList, RadioButtonList and CheckBoxList. Performing encoding for a data bound control may vary depending on each specific control. For example, for a DataGrid control, you have the following options:
Page 441, Chapter 16: Securing Your Web Server, Section: Disable NetBIOS and SMB
Following Note is added:
Note: Test your changes before implementing them in production. Disabling sharing or NetBIOS can negatively impact manageability for your scenario. For example, IIS uses the NetUserChangePassword API which depends on NetBIOS. If you permit users to change passwords through IIS, this will no longer work.