ASP.NET 1.1 provides auto-protection from scripting attacks

Did you know that ASP.NET v1.1 automatically checks for possible scripting attacks when users enter info into you forms? I didn't! I learned it in my prep for my DevDays session.

So this:

(with Errors =”Off” in web.config) results in this: (click to enlarge)

This protection is on by default. It is controlled in a few places. See this article on Microsoft's ASP.NET site for more details.

[Julia Lerman Blog - Don't Be Iffy...]

It is a great feature. but there are some gotchas and caveats to watch out for:

Some people who upgrade their app from 1.0 to 1.1 find themselves caught by this. In a frenzied panic (all too often because someone is breathing down their backs), they immediately go into web.config and disable the Request Validation feature. NOT a good thing!

The key thing to keep in mind is that if you choose to disable this option, make sure that you have some sort of Input Validation in your code. Remember ALL Input is EVIL! (Until it has been verified otherwise).
Vendor Applications that you need to use, and don't have access to the source, which disable the Request Validation feature. I remember reading the installation directions for an app (written by a global consulting firm) that stated. "If you are running .NET 1.1, make sure you turn OFF Request Validation in your Web.config"! Since I did not have access to the source, I could not verify that they were actually doing any input validation. My confidence in the vendor was not helped by the fact that when talking with their developers, they could not tell me if they supported Out Of Process Session Storage Support or not. Not just couldn't tell me as much as did not understand the difference between InProcess and Out of Process State Storage Options. (Which I needed to know as the app was going to be deployed on a web farm). Oh yes, we won't discuss the Web SSO vendor who has a problem with this as well, and who still has not resolved the issue ;-)

Not much you can do in this case, except see if you can actually talk to someone at the vendor end who understands your question and gives you a reasonable answer or a fix.

[Now Playing: Udja Kale Kawan - Gadar]

posted on Sunday, February 29, 2004 1:41 PM

This website is Copyright © 2001-2004 by Kylas Group LLC. All rights reserved. By using this website you agree to abide, comply, and be bound by these Terms of Use and Terms of Service. As a user of this website you agree that all information is provided on an as is basis, and the use of this web site is at your sole risk. Links listed are solely based on our opinion of value. The links provided are maintained by their respective organizations, who are solely responsible for its content. Trademarks are the property of their respective owners. Use of trademarks, logos, and brand names on this site are for identification purposes only, and does not imply an endorsement of this website by the trademark owner.

My Links

Archives

Post Categories

Articles

Blogs - Architecture

Blogs - Security

Blogs - Smart/Great/Local

Info - Architecture

Info - Essential

Info - Security

Affiliations

Sponsored By

ASP.NET 1.1 provides auto-protection from scripting attacks