The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

.NET Buzz Forum
My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Scott Hanselman

Posts: 1031
Nickname: glucopilot
Registered: Aug, 2003

Scott Hanselman is the Chief Architect at Corillian Corporation and the Microsoft RD for Oregon.
My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0 Posted: Aug 8, 2003 5:49 PM
Reply to this message Reply

This post originated from an RSS feed registered with .NET Buzz by Scott Hanselman.
Original Post: My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0
Feed Title: Scott Hanselman's ComputerZen.com
Feed URL: http://radio-weblogs.com/0106747/rss.xml
Feed Description: Scott Hanselman's ComputerZen.com is a .NET/WebServices/XML Weblog. I offer details of obscurities (internals of ASP.NET, WebServices, XML, etc) and best practices from real world scenarios. 		Latest .NET Buzz Posts
Latest .NET Buzz Posts by Scott Hanselman
Latest Posts From Scott Hanselman's ComputerZen.com

Advertisement

I don't know if this qualifies as evil, stupid, both, or neither, but here's a story. 

Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly.  We are very security focused here and javascript injection attacks are always a problem.  The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks. 

So, what to do?  Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule.  I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.

Again, may be evil, but felt so good.   When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:

<httpModules>
    <add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10" />
</httpModules>

A couple of interesting questions came up, one of which was...

A while loop is expanded when compiling IL, and the C# equivalent is something like this:

goto L_0045;
L_0040:
   index = (index + 1);
L_0045:
if (index >= len)
{
   goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
   goto L_0040;
}
L_005E:

Should I (for tidying up's sake) roll it back up to something like this:

//Programmer intent: look for non-alphas...
while (index < len)
{
  if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
     break;
  index++;
}

or just leave well-enough (and well-equivalent) alone?  Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.

Read: My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0

Topic: Etoy's 10 Years Debian GNU/Linux Party Previous Topic   Next Topic Topic: PDC 2003 Graphic
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use