Catch the security flaw #5

  • [アーティクル]

A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:-

Code for Default.aspx:-

    1: <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %>

    2:  <html xmlns="https://www.w3.org/1999/xhtml" >

    3: <body>

    4:     <form id="form1" runat="server">

    5:  

    6:     <asp:TextBox ID="txtName" runat="server"></asp:TextBox>

    7:     <asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClick="btnSubmit_Click" />

    8:     <asp:RegularExpressionValidator ID="regexpName" runat="server"     

    9:                                     ErrorMessage="This expression does not validate." 

   10:                                     ControlToValidate="txtName"     

   11:                                     ValidationExpression="^[a-zA-Z'.\s]{1,40}$" />

   12:  

   13:     </form>

   14: </body>

   15: </html>

Code behind Default.aspx.cs file:-

    1: public partial class Default2 : System.Web.UI.Page

    2: {

    3:     protected void Page_Load(object sender, EventArgs e)

    4:     {

    5:  

    6:     }

    7:     protected void btnSubmit_Click(object sender, EventArgs e)

    8:     {

    9:         Response.Write("Welcome " + Request["txtName"]);

   10:     }

   11: }

 

Reference:-

[1] How To: Use Regular Expressions to Constrain Input in ASP.NET

https://msdn.microsoft.com/en-us/library/ms998267.aspx

Comments

  • Anonymous
    December 21, 2008
    Is the fault that you should be check to see if the page is valid first in the event handler? By adding the code if (this.IsValid) { Response.Write("Welcome " + Request["txtName"]); } where your processing for a proper validation is performed, you're verifying that the validator is indeed doing its job.

  • Anonymous
    December 21, 2008
    Yes, it is. But can you think of why the lack of this check can lead to a vulnerability? What that vulnerability might be?

  • Anonymous
    December 21, 2008
    Based on the article referenced, this a validator for a name of 1-40 characters in length. If the validation fails, then empty values could be passed through (if the app crashes or hangs, there's a DOS). Also, that article refers to other things such as cross-site scripting or SQL injection. I'm going to go out on a limb here and presume that's what you're getting at.

  • Anonymous
    December 22, 2008
    The comment has been removed

  • Anonymous
    December 28, 2008
    In my last post , I showed input validation code that uses RegularExpressionValidators improperly. Thanks