Let's start with the most critical application weaknesses.
These challenges get you the foundations of
1: Injection Flaws and
2: Broken Authentication vulnerabilities
1.LdapFilterEncode
var sAMAccountName =
Microsoft.Security.Application.Encoder.LdapFilterEncode(username);
searcher.Filter = string.Format("(sAMAccountName={0})", sAMAccountName);
c# - LDAP Filter Encoder Replacement - Stack Overflow
I was looking for the answer to this and came across your question. I found it here, it has been moved to a Nuget package here: https://www.nuget.org/packages/AntiXSS/ and taken out of the core framework.
According to this blog post: https://archive.codeplex.com/?p=wpl the project will continue to be updated with security updates, however the last time it was updated on Nuget was 2014.
I installed the package, the namespace you need is still:
Microsoft.Security.Application.Encoder.LdapFilterEncode(value)2.參數化sql
string query = $@"SELECT [Id], [EmailAddress], [DisplayName], [UserName] FROM {userTable} " +
"WHERE UserName = @UserName";
using (SqlCommand cmd = new SqlCommand(query))
{
cmd.Connection = connection;
connection.Open();
A query string to search for orders is created incorrectly. Also, an SQL query template is stored improperly on the server. As soon as an adversary gains access to the file system and modifies file content, the integrity of the database will be at risk of defeat. In this case, an application will load an SQL query from the modified file and perform it without any restriction.
Stored procedures should be used to store SQL queries outside the codebase. Compared to regular SQL queries, they have an advantage in performance and SQL injection resistance since the parameters are encoded, if necessary. Therefore, a stored procedure is used to search for orders by e-mail, and the
SqlParameterCollection class is used to include a search option. So, any attempt to inject SQL injection will fail.