Web applications constantly face serious attacks that result from inproper input validation. One popular attack is cross site scripting, which may allow an attacker to hijack another user's session or authentication state. Another is sql injection, which can
lead to disclosure or tampering with your backend database. Of course, many others are possible in applications that perform tasks based on client input without proper validation. The series of guidelines below should help you determine an optimal strategy
when securing your ASP.NET applications. While the exact validations details depend on what kind of input you expect, the overall guidelines are as follows: 1. Enable ValidateRequest (enabled by default in v1.1). This will detect most dangerous input that
contains an XSS attack. 2. Do server validation. Client validation can be easily bypassed, in fact too easily to count on it. You can take advantage of our validator controls: http://www.dotnetjunkies.com/quickstart/aspplus/doc/webvalidation.aspx 3. Only accept
legal input (using regular expressions), reject all else. Do no attempt to scan the input for invalid content. 4. If you cannot restrict legal input (such as you can social security numbers) and must accept more or less free form input (such as forums posts),
sanitize it by removing dangerous characters/content you are aware of. Do not use this instead of 3 where possible. 5. If you must display input from the user, or data derived from it, HtmlEncode it. You can use HttpServerUtility.HtmlEncode(). 6. If you use
the input to drive database queries, use stored procedures with db parameters, or sql queries with db parameters if you cant use stored procedures. Never build the sql query as a string. See ADO.NET documentation for more info on using parameters, for example:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbtsksettinggettingdatacommandparameters.asp Check out the security architecture guide for more information: http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh10.asp?frame=true#c10618429_006
Mike Volodarsky
CTO at LeanSentry
Former IIS/ASP.NET PM
Want to become an expert at monitoring and troubleshooting your IIS applications?
See the demo at www.leansentry.com!
I have a question on hijacking another user's session. How would someone do this and how can I prevent this since I use sessions a lot in my application with sensitive data?
mvolo
Contributor
2202 Points
441 Posts
MVP
Web Security: Input Validation in ASP.NET Applications
Mar 02, 2004 01:38 AM|LINK
CTO at LeanSentry
Former IIS/ASP.NET PM
Want to become an expert at monitoring and troubleshooting your IIS applications?
See the demo at www.leansentry.com!
afelicetti
Contributor
2215 Points
443 Posts
Re: Web Security: Input Validation in ASP.NET Applications
Mar 18, 2004 04:58 PM|LINK