I've seen plenty of Cross-Site Scripting attack prevention suggestions, but I'm not asking about Form Input validation. How would I prevent something like this:
javascript:(function(i,j){with(document){for(i=0;i<forms.length;++i){with(forms[i]){for(j=0;j<elements.length;++j){elements[j].disabled=false}}}}})()
from being inserted into the URL? This code would enable all form elements on a page if added to a URL. So if you disabled certain buttons based due to permissions or something then all those buttons would become enabled.
Should I just be parsing the URL and check for the Javascript keyword?
No. You can't, anyway, as it doesn't get sent to the server.
That is just JavaScript executed locally by the user themselves. It should mean nothing to you. The security of your system should never rely on client-side javascript, all your authentication, and so on, should be done server-side.
The key is to not worry much about it client-side. Server-side is where you have to be bullet-proof. Do not assume, for example, that just because you named your form inputs the same as your database column names, that you can just loop through Request.Form and persist all the data you get. You should validate that you only process the inputs you are expecting, and validate them for data type and range, as well as considering the user's permissions to alter a given field.
That way, the user can send whatever they want, you will only process and accept valid data server-side.
Related
I need to store data from a web page. There are many (80~100) input controls and I need to validate as submit the form as well. What would be the best practice, either get value one by one from every control or something better else?
That depends: when there are simple rules by which you validate your fields like checking phone numbers etc., you should do it client side before submitting. If there are some more complicated rules (or sensitive data neccessary for checking that you cannot expose to the user's browser), you should submit everything and validate server-side.
This is a clarification question: I'm studying for MCTS 70-515 and in my training kit it states that Hidden Fields: "users can view or modify data stored in hidden fields"
Now I'm aware that users can view the source of the page and then that would display the hidden field data. But I'm curious as to the modification part. How would a user modify a hidden field data and how would it affect the site? Even if they modify the data via View Source they can't save the page and then post the data back to the server.
What am I missing that the author is assuming I know?
OK well all the answers said the same thing (at this time). I guess if the author would of said "savvy" user then that might of tipped me off. I guess I've always assumed that users wouldn't know of Firebug or any other tool that can do manipulation after the page has been displayed to the user.
Thank you for all your answers. I appreciate it!
The hidden field is just a key-value-pair represented as a key-value-pair when serialized and sent to the server, just like any other form element. There are a number of ways to modify hidden fields - one is to use FireBug or some other "developer console" in the browser, another is to manually write the request and send it to the server.
In addition to using a debugging tool such as Firebug, the user could change the value of a hidden field indirectly though other interactions (with JavaScript) making the change for them. Normally, the user would be unaware of the technical detail of what they are doing (they neither know about, nor care about the fact a hidden field got changed)
Other tools, such as Fiddler, may intercept the web request and change the value of the hidden (or any) field as it is being transfered to the server on a postback.
It is possible to change the value of a hidden field on the server during a postback, as you know, or on the client using JavaScript.
Example using jQuery: http://jsfiddle.net/JGsQ5/
Once the page has been loaded by the browser, it is stored in the DOM (http://en.wikipedia.org/wiki/Document_Object_Model) which is what JavaScript manipulates and is used by the browser to build a HTTP request which is sent back to the server as a postback.
Easy, open up a program like FireBug and change the element value. Remember, markup is client side, so the server is trusting the client to send back the right data -- however, this is easily circumvented.
It is best to store data that is essential to the security of your application in session's, whereas the data remains on the server side and is tied to the client. ASP.NET can make up of hashes to prevent the unauthorized modification of fields, amoung other things.
Is it possible to decode, and thus tamper with, the rendered _EVENTVALIDATION field? I found a lot of information about what it DOES, but couldn't find anything that actually says whether or not the value itself is protected against tampering. I did attempt to base64 decode it and got gibberish back, so I'm assuming that it is in fact encrypted, but if someone knows for sure and can verify that, that would be awesome.
I do know that Viewstate is not encrypted (although you can set it to be). I'm not as interested in that, I'm just interested in eventvalidation.
I found a similar question: Is it possible to decode EventValidation and ViewState in ASP.NET? but no one seemed to have a specific answer regarding the event validation field.
Concrete example: I have a dropdown of available reports that the user can run. It's populated with some "members" reports but also some "Admin only" reports which are rendered during OnLoad, and only adds them if the user is an Admin. When the page posts back, can I trust the event validation routine to be secure and that the user has not injected an "admin only" report into the list of acceptable values, or should I re-check permissions in my postback handler to verify the user can actually use the report that was selected?
First, event validation is a backstop protection against XSRF, not against malicious users.
If you want to make sure they can only run the reports they are permitted to run, then check they are permitted to run the report at the point you run it.
Secondly, the event validation data is encrypted and has a MAC. It should be very hard to tamper with. But relying on it is not the right way to solve to your problem.
If you havn't turned off the native injection protection settings then if anyone try's to edit the controls list of values and post it back it will cause an error.
I have a webservice that I need called, the result of which determines whether or not the user is allowed to submit the form.
Since this call is from javascript and not from code behind is it not reliable? Is there any way the user can get around the check -- by either going in with firebug and enabling the submit button, somehow making the method give a different result than was actually returned by the webservice, any other ways of being able to get around it?
Basically is there any way to call a webservice from javascript and have it's result determine whether or not a form can be submitted, and actually prevent the user from submitting the form at all? -- whether or not they have firebug, etc...
No, not possible.
Just to name a few possible reasons:
what if javascript is disabled?
what if the user submits the raw POST (using libcurl, for example)?
what if the browser, that the user is using interprets javascript in a way, different from your expectations (think, portable devices)?
Javascript validation is there for your users' convenience only and should never ever be used as a means of providing security.
You can never prevent the user from making an HTTP request that mimics submission of the form. While disabling the form via Javascript prevents submission for 95% of the users who both have Javascript enabled and don't want to circumvent your access control, anyone who understands HTTP can make the call and you are correct in showing that anyone with Firebug can do it in a matter of seconds.
Javascript isn't reliable for preventing anything. It shouldn't be seen as a security-wall, as it's too easily disassembled with things like firebug, iedevelopertoolbar, and many other browser toys.
Even if you could prevent them from submitting your form on your page, nothing stops them from creating a brand new form, on their own page, and point it toward the action of your form. Thus they're removing themselves from your "secure" environment, and instead chosing to play in their own.
Your suspicion is correct; the user can easily get around any possible Javascript validation.
You will need to use server-side code.
No, it is not reliable. Try disabling Javascript in your browser to see for yourself how easily you can get around it.
The user could simply disable javascript in their browser, or use something like NoScript. The best you could do is to try setting the form action itself in the return from the Ajax request, that way the form, as loaded, won't submit (except to itself). This will probably stop casual users but would be no impediment to a slightly more determined (or just bored and tech savvy) user. You will need to check on the server side whatever you do.
In general, no. You can make the form hard to submit without going through Javascript. Make the submit button not an actual submit button (<input type="submit">), but a pushbutton (<input type="button">) that submits the form in its onClick handler.
As everyone else said, no you can't do it. The only real solution is to have the web service return some dynamic value which the Javascript inserts in a hidden form input. Then whatever server-side code processes the form submission should reject the request if that value is not present.
If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode and HtmlDecode string information to and from simple forms (e.g. ASP Textboxes)?
If ASP.NET Request Validation is enabled for a site, do you still need to HtmlEncode
ASP.NET Request Validation is a hack to try to work around stupid authors' broken programs. Don't write broken programs.
Any text string you write into an HTML page must be HTML-encoded; this is a matter of correctness, not just security (which is a subset of correctness). Even if Request Validation could magically remove any possible XSS attack (and that is so nothing like the case), failing to HtmlEncode text output would still leave you open to producing malformed output, mangling your data. Say I was making a forum post talking about some variables a, b and c and wanted to say:
a<b b>c b>a
If that was echoed to the HTML source unencoded, I'd get:
ac b>a
and maybe the rest of the page would be bold too. Whoops!
Request Validation is bogus and shouldn't be relied upon. Being on by default and “recommended for all production environments” is sad and makes me seriously doubt the sanity of the ASP.NET team.
If you have written your program correctly, you don't need it and it will just get in your way. (For example, if SO used it, I wouldn't be able to make this post that mentions the <script> tag.) If you haven't written your program correctly, Request Validation isn't going to fix your security holes, it's just going to make them a bit more obscure.
and HtmlDecode string information
You don't usually HtmlDecode anything in a web app. You encode to push content out into HTML, but when content comes back in from a submitted form it is as plain text, not HTML-encoded.
to and from simple forms (e.g. ASP Textboxes)?
Textboxes should be fine; setting their .Text does do any necessary encoding, making the exact string you had appear in the textbox. But. Some things that look like they should be HTML-encoding automatically actually don't. For example:
myTextBox.Text= "a<b b>c"; // Fine!
myLabel.Text= "a<b b>c"; // Broken!
Oh dear. Text does not always mean Text. Sometimes, it actually means HTML. Thank you Microsoft, way to muddy the waters of a topic too many people already find hard to understand.
There's no danger from text in ASP.NET text boxes, whether Request Validation is on or off. The text box control automatically encodes data when displayed in the text box.
When outputting data that originated from the user in other places, it is important to HTML (or JavaScript) encode that data. ASP.NET's Request Validation provides only a minimum level of protection. It is not impenetrable, or even close to it. It is only designed to protect against the most simple attacks.
You still have to encode things as you output them on other parts of your site.
Edit
What I mean by other places, is that if the user enters the data into a text box, using the ASP.NET Text Box control is safe because the control automatically encodes the output so it will render safely.
Say, for example, you're working with StackOverflow's user info page. When a user chooses their username they could choose to input something that may be malicious when output in another part of your site. For example my StackOverflow login name is displayed at the top of every page for me, and is also listed on the "Users" page.
On the Users page, AJAX is used to load users. When JavaScript goes to evaluate the user name, it is not bound by the same encoding rules as HTML tags, so I could type something into the user name text box that could cause some breaking behavior when it is output in the User list.
StackOverflow obviously encodes user data correctly when sent to the client, so they're safe. Before sending my user name off to the client, they (presumably) have some JavaScript encoding routine that makes sure that my user name can't become malicious when executed in JavaScript code.
You could also have problems if using it in a non-ASP.NET input control. Input tags use attributes to define content, so you can easily enter text that would get past the Request Validation check but could allow the user to add a malicious "mouseover" attribute.