AI Skill Report Card
Securing Dotnet Code
YAML--- name: securing-dotnet-code description: Reviews and improves C# .NET code for security vulnerabilities and best practices. Use when analyzing code for security issues, implementing secure coding patterns, or hardening .NET applications. --- # Securing .NET Code
Quick Start
CSHARP// Before: Vulnerable SQL query string sql = $"SELECT * FROM Users WHERE Id = {userId}"; // After: Parameterized query using var command = new SqlCommand("SELECT * FROM Users WHERE Id = @UserId", connection); command.Parameters.AddWithValue("@UserId", userId);
Recommendation▾
Add more concrete input/output examples showing vulnerable vs. secure code patterns, especially for XSS prevention and authorization bypass scenarios
Workflow
Progress:
- Scan for injection vulnerabilities (SQL, XSS, command injection)
- Review authentication/authorization patterns
- Check input validation and sanitization
- Audit cryptographic implementations
- Verify secure configuration (connection strings, secrets)
- Test error handling for information disclosure
- Review dependencies for known vulnerabilities
Recommendation▾
Include a security checklist template or framework that can be copy-pasted and customized for different types of .NET applications
Examples
Example 1: SQL Injection Fix
Input: var query = $"SELECT * FROM Products WHERE Name LIKE '%{searchTerm}%'";
Output:
CSHARPvar query = "SELECT * FROM Products WHERE Name LIKE @SearchTerm"; command.Parameters.AddWithValue("@SearchTerm", $"%{searchTerm}%");
Example 2: Secure Password Hashing
Input: var hashedPassword = MD5.HashData(Encoding.UTF8.GetBytes(password));
Output:
CSHARPvar salt = RandomNumberGenerator.GetBytes(16); var hash = Rfc2898DeriveBytes.Pbkdf2(password, salt, 100000, HashAlgorithmName.SHA256, 32);
Example 3: Input Validation Input: Direct model binding without validation Output:
CSHARP[HttpPost] public IActionResult UpdateUser([FromBody] UserDto user) { if (!ModelState.IsValid) return BadRequest(ModelState); // Sanitize HTML content user.Bio = HtmlEncoder.Default.Encode(user.Bio); return Ok(); }
Recommendation▾
Expand the dependency vulnerability section with specific tools and commands (like 'dotnet list package --vulnerable') rather than just mentioning it as a bullet point
Best Practices
- Use Entity Framework parameterized queries instead of string concatenation
- Implement rate limiting with
AspNetCoreRateLimitor built-in middleware - Store secrets in Azure Key Vault or
dotnet user-secretsfor development - Enable HTTPS redirects and HSTS headers
- Use
[Authorize]attributes with specific policies, not global authorization - Implement CSRF protection with
[ValidateAntiForgeryToken] - Log security events but never log sensitive data
- Use
SecureStringfor sensitive data in memory when possible
Common Pitfalls
- Don't trust client-side validation - always validate server-side
- Don't use
AddWithValue()blindly - specify parameter types explicitly - Don't catch generic exceptions without proper logging and handling
- Don't store connection strings in appsettings.json for production
- Don't use deprecated crypto APIs (MD5, SHA1, DES)
- Don't expose stack traces to end users in production
- Don't use
[AllowAnonymous]without careful consideration - Don't trust HTTP headers for security decisions (X-Forwarded-For, Referer)