First Line of Defense for Web Applications – Conclusion

Platform features for validating input in .NET Framework

There are many platform features which should be leveraged wherever possible. Some of the key validation features supported by .NET framework are given below:

ValidateRequest

ASP.NET performs request validation against query-string and form variables as well as cookie values. By default, if the current Request contains HTML-encoded elements or certain HTML characters (such as —), the ASP.NET page framework raises an error.

This is an httphandler which will scan all requests coming in the application and will generate an error message if it detects malicious characters in the request that could initiate a cross site scripting attack. By default, this security feature is enabled in the Machine.config file. It is always advisable to not to disable this setting and verify that validateRequest is set to true as given below.

<system.web>

  <pages buffer="true" validateRequest="true" />

</system.web>

There are some limitations to this feature.

· If you need a page which contains a free format rich test entry fields designed to accept a range for HTML as input, then you might want to disable this feature. It should be understood that disabling validate request is dangerous, so make sure proper input validation is implemented in the application.

· Security researchers have found a way to bypass this platform validation feature in the past multiple times, and they can do it again in the future. Relying “Only” on this mitigation can prove costly. Microsoft ASP.NET request filtering can be bypassed allowing XSS and HTML injection attacks

Validation controls

The validation features provided by the .NET framework are immensely powerful. Validation controls provide an easy-to-use mechanism for all common types of standard validation. For example, a developer can test for valid dates or values within a range and can create custom-written validation. In addition, validation controls allow you to customize how error information is displayed to the user. Using the right validation control in the right context can save your application from lot of attack vectors.

Regular expressions

Regular expressions provide a powerful, flexible, and efficient method for processing text. The extensive pattern-matching notation of regular expressions allows you to quickly parse large amounts of text to find specific character patterns, to extract, edit, replace, or delete text substrings, or to add the extracted strings to a collection in order to generate a report. For many applications that deal with strings (such as HTML processing, log file parsing, and HTTP header parsing), regular expressions are an indispensable tool.

Let’s analyze this regular expression used for validation, implemented by a developer on a Name input field:

string regExPattern= \.{1,500}$

The regular expression serves only as the length delimiter. It provides no protection in terms of character type. This example merely limits the attacker to a maximum payload of 500 characters.

Ideally the regExPattern should have been declared as follows:

string regExPattern = ^[a-zA-Z''-'\s]{1,40}$

This only allows one or more alphabetical characters, which further validates the input as a name. It allows up to 40 uppercase and lowercase characters and a few special characters that are common to some names.

Unfortunately, regular expressions have some significant limitations:

· Performance Impact

o The more complex the regular expression, the more CPU cycles are required. RegEx generally have exponential complexity. Use of OR (|) to create a complex regular expression can slow down your application.

· Certain kinds of strings are very hard, if not impossible to recognize by regular expressions.

· Sometimes it requires extra time and effort to construct RegEx which will validate all good data

o Different input but all are valid forms E.g a valid email address can be – abc@foo.com or abc@111.222.333.444

Be careful with the DOT(.)

Dot is a very powerful regular expression meta- character, but there is something important to understand about its use. Dot is a part of character class that represents a set of characters which can match an input string; the dot matches a single character without caring what that character is. The only exceptions are newline characters. This means that the regular expression will also match in cases where it should not match. Thus, use of DOT sometimes creates regular expression that is very loosely written.

For example, let's say we want to match a date in mm/dd/yy format, but we want to leave the user the choice of date separators. The quick solution is \d\d.\d\d.\d\d. Seems fine at first. It will match a date like 04/09/07 just fine. The problem comes when you pass something like “04109807” via this regular expression. This input passes the validation requirement without any red alerts. Why? Because it is also considered a valid date by the quick solution regular expression. In this match, the first dot matched 1, and the second matched 8. Clearly this is something which is not intended. It is therefore advised to use this meta-character sparingly or with caution.

Conclusions

The .NET framework has many powerful features for implementing white list validation. Remember to use white list validation whenever possible. It is a more restrictive, definitive, and manageable means to perform strong input validation in your applications.

On the other hand, black list validation is less restrictive and more difficult to manage and maintain. As you have seen, there are many ways to bypass black list validation.

Of course, a combination of both the approaches can be leveraged where it is difficult to define exactly what you are looking for in the input. However you validate, consider a centralize approach to input and data validation within your application. Maintainability of the code becomes quite simple as your validation routines are defined at one place.

Attacks on the application layer have tremendously increased over the years. Most of the deadly web application attacks exploit poor input validation as root vulnerability. Understanding the right validation approach and techniques for user input filtering are the keys to a secure web application.

It’s a bad world outside so- Validate! Validate and validate all user controlled input prior to consuming it.

References

· https://msdn2.microsoft.com/en-us/library/ms998378.aspx#pagquestionlist0002_inputdatavalidation

· Anti-Cross Site Scripting Library - https://msdn2.microsoft.com/en-us/security/aa973814.aspx

· https://msdn.microsoft.com/archive/default.asp?url=/archive/en-us/samples/internet/components/sitelock/default.asp

· How To: Use Regular Expressions to Constrain Input in ASP.NET

· Developing a Validator Control

· Validating User input in ASP.NET web pages

· https://www.guidancelibrary.com/default.aspx/Home.RegExInputValCode

· Regular Expression Work bench

· https://www.regular-expressions.info/

· https://msdn2.microsoft.com/en-us/library/Aa302416.aspx#strongnames_topic4

 

Regards & Keep it Secure !!

Anmol Malhotra

Comments

  • Anonymous
    January 06, 2008
    The comment has been removed

  • Anonymous
    January 13, 2008
    Hello folks, I just completed my blog series on Input Validation Strategies on our hackers blog - http://blogs.msdn.com/hackers

  • Anonymous
    February 01, 2008
    Antes de empezar, se que este post puede ser vetado, por muchos motivos, solo quiero esperar que lo tomen

  • Anonymous
    February 01, 2008
    Antes de empezar, se que este post puede ser vetado, por muchos motivos, solo quiero esperar que lo tomen