My blog has moved and can now be found at http://blog.aniljohn.com

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Sunday, February 29, 2004
« Security Analysis of Microsoft .NET Fram... | Main | Microsoft Security Guidance Kit CD v1.0 ... »

 

Did you know that ASP.NET v1.1 automatically checks for possible scripting attacks when users enter info into you forms? I didn't! I learned it in my prep for my DevDays session.

So this:

(with Errors =”Off” in web.config) results in this: (click to enlarge)

This protection is on by default. It is controlled in a few places. See this article on Microsoft's ASP.NET site for more details.

 
It is a great feature. but there are some gotchas and caveats to watch out for:
 
  1. Some people who upgrade their app from 1.0 to 1.1 find themselves caught by this. In a frenzied panic (all too often because someone is breathing down their backs), they immediately go into web.config and disable the Request Validation feature. NOT a good thing!

    The key thing to keep in mind is that if you choose to disable this option, make sure that you have some sort of Input Validation in your code. Remember ALL Input is EVIL! (Until it has been verified otherwise).

  2. Vendor Applications that you need to use, and don't have access to the source, which disable the Request Validation feature.  I remember reading the installation directions for an app (written by a global consulting firm) that stated. "If you are running .NET 1.1, make sure you turn OFF Request Validation in your Web.config"!  Since I did not have access to the source, I could not verify that they were actually doing any input validation. My confidence in the vendor was not helped by the fact that when talking with their developers, they could not tell me if they supported Out Of Process Session Storage Support or not. Not just couldn't tell me as much as did not understand the difference between InProcess and Out of Process State Storage Options. (Which I needed to know as the app was going to be deployed on a web farm).  Oh yes, we won't discuss the Web SSO vendor who has a problem with this as well, and who still has not resolved the issue ;-)

    Not much you can do in this case, except see if you can actually talk to someone at the vendor end who understands your question and gives you a reasonable answer or a fix.

[Now Playing: Udja Kale Kawan - Gadar]

Tags:: Security
2/29/2004 1:41 PM Eastern Standard Time  |  Comments [8]  |  Disclaimer  |  Permalink   
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
Also, note that there's a flaw in the implementation of this feature that allows certain malformed scripts to pass the validation. I discussed this, and linked to the available hotfix, on my blog at:
<br>
<br><a target="_new" href="http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx">http://weblogs.asp.net/gad/archive/2003/11/12/37219.aspx</a>
<br>
G. Andrew Duthie
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
BufferOverrun
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
BufferOverrun
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
I know this feature, and it's one of my problems during porting my old web application (written in ASP) to ASP.NET.
Stefano Demiliani
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
ShankuN's Blog
Sunday, May 8, 2005 12:06:51 AM (Eastern Daylight Time, UTC-04:00)
ShankuN's Blog
Sunday, May 8, 2005 12:06:52 AM (Eastern Daylight Time, UTC-04:00)
SecureCoder by Anil John
Sunday, May 8, 2005 12:06:52 AM (Eastern Daylight Time, UTC-04:00)
BufferOverrun
Comments are closed.