Reputation: 8941
C# Security Risks
I am developing a small C# application, that acts as a handler for a certain web-protocol (myprotocol://blafoobar). Thus whenever the user clicks on such a web link, the handler is invoked by Windows. It then parses the URI and performs certain actions.
This of could of course be a security risk. One possible attack vector would be, that an attacker provides a malicious link to the user: "myprotocol://someevilstuff". Then the parsing of the URI would cause my application to expose some unexpected behavior, due to buffer overflows etc. (<- I'm no expert on this).
So I have a bunch of questions:
- Is C# in general more robust against buffer overflows etc. (since e.g. array bounds are always checked)?
- Is the C# string class rather safe (splitting etc.)?
- Is there some general advice what I should look out for/avoid?
Upvotes: 3
Views: 481
Answers (1)
Reputation: 62101
Is C# in general more robust against buffer overflows
It is, AS IS GOOD WRITTEN C# code - basically you MUST check allocated memory all the time. That said, unless your app explicitly violates trust boundaries (unsafe code, calls into native libraries) you are QUITE safe. 100% is not likely, but a lot of people work on fixing every bug there.
Is the C# string class rather safe (splitting etc.)?
Yes.
Is there some general advice what I should look out for/avoid?
Not really on a technical level. On a logical level - make the possible attack vector as small as possible, i.e. do not JUST delete things etc. and validate the input makes sense.
Upvotes: 4
Related Questions
- Unsafe code in C#
- How i can secure c# program
- Security vulnerabilities of the .NET platform?
- Safe vs Unsafe code
- Any coding security issues specific to C#?
- .NET security of objects in memory
- .net Assembly security question
- Code Access Security - Basics and Example
- Code Access Security problem - what's the issue here?
- Interesting Security Question for .net developers