ASP.NET 2.0 dumb's down request validation
Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding. In ASP.NET v1.1 the request validation performed was fairly restrictive. It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#". After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".
This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade. It would be interesting to know Microsoft’s reasons for removing these checks. I would assume it caused to many customer issues, perhaps interfered with AJAX in some way.
To recap, asp.net v1.1 performed the following checks:
- Look for "&#"
- Look for ‘<’ then alphas or ! or / (tags)
- Look for "script:"
- Look for on handlers (onXXX=)
- Look for “expression(“
- Skip elements named "__VIEWSTATE"
While asp.net v2.0 and higher performs the following:
- Look for &#
- Look for ‘<’ then alphas or ! or / (tags)
- Skip elements with names prefixed with double underscore (__)
As you can see the 2.0 version is much weaker than 1.1.
Enjoy!
[...] Eddington recently posted some interesting information regarding the differences in request validation being used in ASP.NET 1.1 vs. ASP.NET 2.0. In addition to the information he’s posting, which are good things to know, I think this should [...]
Calculated Decision » Blog Archive » ASP.NET 2.0 Worse Off Against XSS Than ASP.NET 1.1 said this on April 26, 2008 at 3:31 am |
[...] Eddington recently posted some interesting information regarding the differences in request validation being used in ASP.NET 1.1 vs. ASP.NET 2.0. In addition to the information he’s posting, which are good things to know, I think this should [...]
Calculated Decision » Blog Archive » ASP.NET 2.0 Worse Off Against XSS Than ASP.NET 1.1 said this on April 26, 2008 at 3:31 am |
Well – this really means that Microsoft is putting the security aspects of application development back in the hands of developers. Although this breaks the uniformity principle (the more standardized, the safer) … it’s forcing developers to actually know what they’re doing… sort of.
Look for more vulns in .Net 2.0 code, coming to a web app near you.
Well – this really means that Microsoft is putting the security aspects of application development back in the hands of developers. Although this breaks the uniformity principle (the more standardized, the safer) … it’s forcing developers to actually know what they’re doing… sort of.
Look for more vulns in .Net 2.0 code, coming to a web app near you.
[...] caught up with Michael Eddington’s short and sweet analysis of the request validation in ASP.NET 2.0. So far I’ve seen a few people blast it, but I think [...]
ASP.NET 2.0’s Dumbed Down Request Validation May Actually Improve Security « omg.wtf.bbq. said this on May 2, 2008 at 7:29 pm |
[...] caught up with Michael Eddington’s short and sweet analysis of the request validation in ASP.NET 2.0. So far I’ve seen a few people blast it, but I think [...]
ASP.NET 2.0’s Dumbed Down Request Validation May Actually Improve Security « omg.wtf.bbq. said this on May 2, 2008 at 7:29 pm |
[...] phed.org » ASP.NET 2.0 dumb’s down request validation [...]
ASP.NET 2.0 dumb’s down request validation « Kartik Trivedi said this on June 23, 2008 at 12:44 am |
[...] phed.org » ASP.NET 2.0 dumb’s down request validation [...]
ASP.NET 2.0 dumb’s down request validation « Kartik Trivedi said this on June 23, 2008 at 12:44 am |
please guide to get VB.NET & ASP.NET Dump’s questions & answers
thank u
please guide to get VB.NET & ASP.NET Dump’s questions & answers
thank u