Abstract:
Use the ASP.NET validation framework to prevent vulnerabilities that result from unchecked input.
Explanation:
Unchecked input is the leading cause of vulnerabilities in ASP.NET applications. Unchecked input can lead to numerous vulnerabilities, including cross-site scripting, process control, and SQL injection.
To prevent such attacks, use the ASP.NET validation framework to check all program input before it is processed by the application.
Example uses of the validation framework include checking to ensure that:
- Phone number fields contain only valid characters in phone numbers
- Boolean values are only "T" or "F"
- Free-form strings are of a reasonable length and composition
In this situation, the validation builtin to ASP.NET has been explicitly disabled.
Example 1: The following code shows an action method in a controller where validation has been disabled:
[HttpPost]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public ActionResult Edit([Bind(Include = "ISBN,Title,ReleaseDate,Genre,Price")] Book book)
{
...
}
In Example 1, the Edit function takes a Book object where multiple properties are bound to the request, and since this is unvalidated, these could lead to vulnerabilities related to unchecked input.
Recommendations:
Although validation is enabled by default, it is still best to explicitly enable validation in order to prevent confusion, by enabling the validation framework in your Web.config file.
Validation should similarly not be disabled within individual controllers or models, since this may also lead to subsequent confusion regarding what is automatically validated and what is not.
An example of a typical setup in the Web.config file is as follows:
<configuration>
<system.web>
<pages validateRequest="true" />
</system.web>
</configuration>
0 comments:
Post a Comment