Last post Aug 26, 2015 11:48 AM by alfred1030
Aug 18, 2015 09:59 PM|alfred1030|LINK
Sorry that I have posted this @ stackoverflow but unfortunately no response.
I have a project with a client - ASP.NET, Dot Net 4.0, Telerik Controls 2013.
Recently my client has sent the System for security scan. Some 'red' alerts requires me to fix.
They ask me to validate the hidden fields:
__EVENTARGUMENT, __EVENTTARGET, RadScriptManager1_TSM, RadStyleSheetManager1_TSSM etc.
Those fields are automatically generated and I do NOT use those hidden fields. My understanding is the Telerik Contrls hidden fields are for visualization purposes etc.
I already told them that they are NOT used in the System and I do not think they shall be validated but their security team said that: "hidden fields can still have unintended data injected into them when a proxy is used to intercept the traffic"
and ask me to implement server side validation. (I have also send a document from Telerik that the Telerik controls shall have no security issues.)
I then google and studied the Stackoverflow questions
1. Are the ASP.net __EVENTTARGET and __EVENTARGUMENT susceptible to SQL injection?
2. asp:RequiredFieldValidator does not validate hidden fields
To be honest, I have no idea in how to implement the validation even I read the stackoverflow posts. My questions are:
1. Shall those hidden fields be validated? Any best practices? Even I do not use them.
2. How shall I implement the server side validation? Any example? (After reading the stackoverflow posts, ... I get lost... sorry.)
3. What shall be validated? I do not use the hidden fields. Validate for what values?
4. It leads to a bigger question. If I have other 3rd party controls, I need to validate everything that is not under my control even there is a security report from the 3rd party vendor. Right now they even ask me to validate the ASP.NET hidden field.
I just wonder - does it make sense? If I use google map, then I need to validate google map? IMHO, it is practically not possible. Is there any best practices?
Thanks and regards,
Aug 19, 2015 04:17 AM|Mikesdotnetting|LINK
I can't see how you can validate the content of those fields - especially as you don't reference them in code anywhere. If you did reference __EVENTTARGET, you would only do so to establish which control caused a postback. The content of the form field will
be a string that either matches the name of a control on the page, or doesn't (if it's been tampered with). So you would write code that takes account of the possibility that there is no match.
Rather than the bland and pretty meaningless "hidden fields can still have unintended data injected into them when a proxy is used to intercept the traffic" feedback, ask the security team specifically what threat you are expected
Aug 26, 2015 11:48 AM|alfred1030|LINK
I agree with you. The security team just follows "rules" to ask contractor to validate everything.