Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Validating Request.Params[] values for cross site scripting

Reply
Thread Tools

Validating Request.Params[] values for cross site scripting

 
 
oopaevah@yahoo.co.uk
Guest
Posts: n/a
 
      01-10-2006
Hello

To prevent scross site scripting I am validating each value in the
Request.Params collection against the following regular expression :

^[a-zA-Z0-9\.\-_'=+/ :]*$

This only allows the following characters :

a-Z
0-9
 
Reply With Quote
 
 
 
 
Karl Seguin [MVP]
Guest
Posts: n/a
 
      01-10-2006
(1) yes
(2) just go through Request.Form and Request.QueryString individually

(3) I don't know your situation, but it all seems like overkill and
unecessary protection to me
(4)ASP.NET supports a validateRequest attribute on the @Page level or in the
web.config which does this for you

Karl
--
http://www.openmymind.net/



<(E-Mail Removed)> wrote in message
news:(E-Mail Removed) oups.com...
> Hello
>
> To prevent scross site scripting I am validating each value in the
> Request.Params collection against the following regular expression :
>
> ^[a-zA-Z0-9\.\-_'=+/ :]*$
>
> This only allows the following characters :
>
> a-Z
> 0-9
> .
> -
> _
> '
> =
> +
> [space]
> :
>
> Which prevents the <, %3C or \u0022 methods of getting a malicous html
> tags into the request.
>
> My problem is that the Request.Params structure contains lots of other
> values which are nothing to do with the form such as "ALL_HTTP" which
> comes in as :
>
> "HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."
>
> This fails my regular expression because of the slash characters so
> that NO page will ever pass my validation!
>
> I have two questions.
>
> 1) Can a malicous user edit the values in parameters such as ALL_HTTP,
> which I think are http headers?
>
> 2) Is there a way to access only the form/url parameter values and not
> the http headers?
>
> thanks
>



 
Reply With Quote
 
 
 
 
Karl Seguin [MVP]
Guest
Posts: n/a
 
      01-10-2006
I should say that validateRequest is only available in 1.1 and 2.0, not 1.0

Karl
--
http://www.openmymind.net/



"Karl Seguin [MVP]" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME
net> wrote in message news:(E-Mail Removed)...
> (1) yes
> (2) just go through Request.Form and Request.QueryString individually
>
> (3) I don't know your situation, but it all seems like overkill and
> unecessary protection to me
> (4)ASP.NET supports a validateRequest attribute on the @Page level or in
> the web.config which does this for you
>
> Karl
> --
> http://www.openmymind.net/
>
>
>
> <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed) oups.com...
>> Hello
>>
>> To prevent scross site scripting I am validating each value in the
>> Request.Params collection against the following regular expression :
>>
>> ^[a-zA-Z0-9\.\-_'=+/ :]*$
>>
>> This only allows the following characters :
>>
>> a-Z
>> 0-9
>> .
>> -
>> _
>> '
>> =
>> +
>> [space]
>> :
>>
>> Which prevents the <, %3C or \u0022 methods of getting a malicous html
>> tags into the request.
>>
>> My problem is that the Request.Params structure contains lots of other
>> values which are nothing to do with the form such as "ALL_HTTP" which
>> comes in as :
>>
>> "HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."
>>
>> This fails my regular expression because of the slash characters so
>> that NO page will ever pass my validation!
>>
>> I have two questions.
>>
>> 1) Can a malicous user edit the values in parameters such as ALL_HTTP,
>> which I think are http headers?
>>
>> 2) Is there a way to access only the form/url parameter values and not
>> the http headers?
>>
>> thanks
>>

>
>



 
Reply With Quote
 
oopaevah@yahoo.co.uk
Guest
Posts: n/a
 
      01-10-2006
Thanks Karl I now go through Request.Form as well, I missed that.

It always seemed like unnecessary protection to me until one of our
customers hired an internet security company to test our pages.

Without complete validation of request parameters it is possible that
our site (which prompts for card details on one page) is succeptible to
phishing. Phishing is where hackers send emails posing as our customer
requesting card details from the user. If the email recipient clicks
the link in the email then malicious script can be inserted into our
card details page which can send the card details to a malicious web
page; eg; by a window.open call in response to onclick of the submit
button.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cross Site Scripting for .exe? kashmira.phalak@gmail.com Computer Security 3 06-07-2005 10:18 PM
Cross site scripting =?Utf-8?B?QnJhZCBRdWlubg==?= ASP .Net 1 04-27-2005 11:35 PM
Allow HTML input in form field WITH Cross-Site scripting security Earl Teigrob ASP .Net 0 02-18-2004 11:27 PM
Cross-Site Scripting... Scott M. ASP .Net 7 12-24-2003 09:33 AM
Preventing Cross Site Scripting Qaurk Noble Java 0 12-11-2003 05:41 PM



Advertisments