In the course of writing the Expert Skills course, I’ve recently written lessons about SQL injection and cross-site scripting attacks. What struck me when writing these lessons is just how secure ASP.NET is.
It’s extremely difficult to make an ASP.NET web application vulnerable to cross-site scripting attacks. A developer would have to manually disable ASP.NET’s security features before an attack would even be remotely possible. Even then, most of ASP.NET’s controls will automatically filter out any attempt at cross-site scripting.
SQL injection attacks present a slightly greater risk, as it’s still possible to create a vulnerable application if you send SQL code directly to the database. Standard LINQ, however, provides complete immunity to SQL injection.
It really is impressive how ASP.NET’s protects your applications from the most dangerous forms of attack, even when using its most basic features.