Jan 23

ASP.NET 2.0 dumb's down request validation

Category: Security

Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding.  In ASP.NET v1.1 the request validation performed was fairly restrictive.  It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#".  After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".

This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade.  It would be interesting to know Microsoft’s reasons for removing these checks.  I would assume it caused to many customer issues, perhaps interfered with AJAX in some way.

To recap, asp.net v1.1 performed the following checks:

  1. Look for "&#"
  2. Look for ‘<’ then alphas or ! or / (tags)
  3. Look for "script:"
  4. Look for on handlers (onXXX=)
  5. Look for “expression(“
  6. Skip elements named "__VIEWSTATE"

While asp.net v2.0 and higher performs the following:

  1. Look for &#
  2. Look for ‘<’ then alphas or ! or / (tags)
  3. Skip elements with names prefixed with double underscore (__)

As you can see the 2.0 version is much weaker than 1.1.

Enjoy!

5 comments

5 Comments so far

  1. Calculated Decision » Blog Archive » ASP.NET 2.0 Worse Off Against XSS Than ASP.NET 1.1 April 26th, 2008 3:31 am

    [...] Eddington recently posted some interesting information regarding the differences in request validation being used in ASP.NET 1.1 vs. ASP.NET 2.0.  In addition to the information he’s posting, which are good things to know, I think this should [...]

  2. Rafal Los May 1st, 2008 7:04 pm

    Well – this really means that Microsoft is putting the security aspects of application development back in the hands of developers. Although this breaks the uniformity principle (the more standardized, the safer) … it’s forcing developers to actually know what they’re doing… sort of.

    Look for more vulns in .Net 2.0 code, coming to a web app near you.

  3. ASP.NET 2.0’s Dumbed Down Request Validation May Actually Improve Security « omg.wtf.bbq. May 2nd, 2008 7:29 pm

    [...] caught up with Michael Eddington’s short and sweet analysis of the request validation in ASP.NET 2.0. So far I’ve seen a few people blast it, but I think [...]

  4. ASP.NET 2.0 dumb’s down request validation « Kartik Trivedi June 23rd, 2008 12:44 am

    [...] phed.org » ASP.NET 2.0 dumb’s down request validation   [...]

  5. Ramesh Raja July 27th, 2008 8:03 am

    please guide to get VB.NET & ASP.NET Dump’s questions & answers

    thank u

Leave a comment