Validating Request.Params[] values for cross site scripting

Discussion in 'ASP .Net' started by oopaevah@yahoo.co.uk, Jan 10, 2006.

  1. Guest

    Hello

    To prevent scross site scripting I am validating each value in the
    Request.Params collection against the following regular expression :

    ^[a-zA-Z0-9\.\-_'=+/ :]*$

    This only allows the following characters :

    a-Z
    0-9
     
    , Jan 10, 2006
    #1
    1. Advertising

  2. (1) yes
    (2) just go through Request.Form and Request.QueryString individually

    (3) I don't know your situation, but it all seems like overkill and
    unecessary protection to me
    (4)ASP.NET supports a validateRequest attribute on the @Page level or in the
    web.config which does this for you

    Karl
    --
    http://www.openmymind.net/



    <> wrote in message
    news:...
    > Hello
    >
    > To prevent scross site scripting I am validating each value in the
    > Request.Params collection against the following regular expression :
    >
    > ^[a-zA-Z0-9\.\-_'=+/ :]*$
    >
    > This only allows the following characters :
    >
    > a-Z
    > 0-9
    > .
    > -
    > _
    > '
    > =
    > +
    > [space]
    > :
    >
    > Which prevents the <, %3C or \u0022 methods of getting a malicous html
    > tags into the request.
    >
    > My problem is that the Request.Params structure contains lots of other
    > values which are nothing to do with the form such as "ALL_HTTP" which
    > comes in as :
    >
    > "HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."
    >
    > This fails my regular expression because of the slash characters so
    > that NO page will ever pass my validation!
    >
    > I have two questions.
    >
    > 1) Can a malicous user edit the values in parameters such as ALL_HTTP,
    > which I think are http headers?
    >
    > 2) Is there a way to access only the form/url parameter values and not
    > the http headers?
    >
    > thanks
    >
     
    Karl Seguin [MVP], Jan 10, 2006
    #2
    1. Advertising

  3. I should say that validateRequest is only available in 1.1 and 2.0, not 1.0

    Karl
    --
    http://www.openmymind.net/



    "Karl Seguin [MVP]" <karl REMOVE @ REMOVE openmymind REMOVEMETOO . ANDME
    net> wrote in message news:...
    > (1) yes
    > (2) just go through Request.Form and Request.QueryString individually
    >
    > (3) I don't know your situation, but it all seems like overkill and
    > unecessary protection to me
    > (4)ASP.NET supports a validateRequest attribute on the @Page level or in
    > the web.config which does this for you
    >
    > Karl
    > --
    > http://www.openmymind.net/
    >
    >
    >
    > <> wrote in message
    > news:...
    >> Hello
    >>
    >> To prevent scross site scripting I am validating each value in the
    >> Request.Params collection against the following regular expression :
    >>
    >> ^[a-zA-Z0-9\.\-_'=+/ :]*$
    >>
    >> This only allows the following characters :
    >>
    >> a-Z
    >> 0-9
    >> .
    >> -
    >> _
    >> '
    >> =
    >> +
    >> [space]
    >> :
    >>
    >> Which prevents the <, %3C or \u0022 methods of getting a malicous html
    >> tags into the request.
    >>
    >> My problem is that the Request.Params structure contains lots of other
    >> values which are nothing to do with the form such as "ALL_HTTP" which
    >> comes in as :
    >>
    >> "HTTP_CONNECTION:Keep-Alive\r\nHTTP_ACC...etc.."
    >>
    >> This fails my regular expression because of the slash characters so
    >> that NO page will ever pass my validation!
    >>
    >> I have two questions.
    >>
    >> 1) Can a malicous user edit the values in parameters such as ALL_HTTP,
    >> which I think are http headers?
    >>
    >> 2) Is there a way to access only the form/url parameter values and not
    >> the http headers?
    >>
    >> thanks
    >>

    >
    >
     
    Karl Seguin [MVP], Jan 10, 2006
    #3
  4. Guest

    Thanks Karl I now go through Request.Form as well, I missed that.

    It always seemed like unnecessary protection to me until one of our
    customers hired an internet security company to test our pages.

    Without complete validation of request parameters it is possible that
    our site (which prompts for card details on one page) is succeptible to
    phishing. Phishing is where hackers send emails posing as our customer
    requesting card details from the user. If the email recipient clicks
    the link in the email then malicious script can be inserted into our
    card details page which can send the card details to a malicious web
    page; eg; by a window.open call in response to onclick of the submit
    button.
     
    , Jan 10, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Daniel Bass
    Replies:
    2
    Views:
    3,774
    dave wanta
    Jul 4, 2003
  2. Christian H
    Replies:
    1
    Views:
    909
    Natty Gur
    Jul 29, 2003
  3. Replies:
    2
    Views:
    5,391
    Scotty
    Aug 6, 2004
  4. Barry
    Replies:
    9
    Views:
    485
    Ara.T.Howard
    Sep 15, 2005
  5. Winston Smith, American Patriot

    XML HTTP Request Object Use With Cross-Domain Scripting

    Winston Smith, American Patriot, Nov 16, 2011, in forum: Javascript
    Replies:
    1
    Views:
    846
    Denis McMahon
    Nov 16, 2011
Loading...

Share This Page