Last post Dec 19, 2013 04:02 PM by dgdev
Feb 18, 2013 10:53 AM|LawyerDev|LINK
I am performing an audit on our new web solution utilizing Web Api. Particularly, I am looking at preventing a cross-site scripting attack. Aside from other precautions I intend to take, I'm wondering if anyone knows if the MVC RequestValidation feature
is implemented in WebApi. During one of my security scans, MVC successfully diagnosed an attempt at script injection in a request, but WebApi failed to do so. Does RequestValidation not exist in Web Api?
Feb 25, 2013 05:17 AM|sukumarraju|LINK
Validate Anti Forgery Token attribute works in Web API as well.
public ActionResult Login(CustomerViewModel model)
Feb 25, 2013 06:33 AM|Melech7|LINK
You can also use use the
HtmlEncode method to make sure that any input from the user will be HTML encoded.
Feb 25, 2013 07:03 AM|sukumarraju|LINK
Dec 19, 2013 04:02 PM|dgdev|LINK
If you're looking for a way to sanitize all incoming DTO's and ApiController-Action parameters I've designed an action filter & object graph sanitizer for such purposes.
They are part of the NContext library:
NContext and all it's components are still in alpha, so please test before using in production! Everything is licensed under MIT open source.
Essentially how it works is:
The interface ISanitizeText provides an abstraction in which you can implement your own text sanitizer. Implementors should consider using a well-tested library such as Microsoft's AntiXSS or OWASP's utilities.
The HttpParameterBindingSanitizerFilter is an ActionFilterAttribute that inspects the incoming request before it calls / binds to the controller's action. It looks for string parameters and complex objects. It is injected with an implementation
of ISantitizeText. Complex objects are sanitized via the ObjectGraphSanitizer.
The ObjectGraphSanitizer handles traversing complex objects looking for all strings to sanitize. It can handle primitive string properties, nested complex objects, IEnumerable, IDictionary, Arrays. It handles circular references so sanitization
is done only once. Graph traversal is done on a single thread, placing all string references in a HashSet. After traversal is complete, the OGS will sanitize all objects/strings in the HashSet with the option of doing so in parallel.
My aim was to provide Web API with an automated way to sanitize all incoming user input before it enter's the action method. Therefore developers don't need to do so manually.