CODEWITHSUNDEEP
asp.net
runners3431
runners3431

Reputation: 1455

in asp.net, if i'm using the ValidatorControls, do I still need to use the anti xss library?

In asp.net webforms, if i'm using the ValidatorControls, do I still need to use the anti xss library? For example, I'm validating TextBox1 as an email address but I'm using built-in controls. 

 <form id="form1" runat="server">   
        <asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
        <asp:Button ID="Button1" runat="server" Text="Button" />


        <asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="RegularExpressionValidator" ControlToValidate="TextBox1" ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*"></asp:RegularExpressionValidator>
    </form>

Upvotes: 0

Views: 39

Answers (2)

John Lee
John Lee

Reputation: 1387

Yes - the validator does not stop malicious input. As long as there is data being sent back to the server, it is always vulnerable to an injection attack.

WebForms come with built-in protection via the ViewStateUserKey. It is set per user session. You can read some examples of it here: https://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspx

And in regards to implementation: http://www.codeproject.com/Articles/686881/Hack-Proof-Your-ASP-NET-Applica

Upvotes: 0

IrishChieftain
IrishChieftain

Reputation: 15253

All user input is suspect. Is this the only form field on this page? User input includes:

  • URL Query Strings
  • Form Fields
  • Cookies
  • Database
  • ViewState

The most prevalent forms of attack seem to be Script Injection, Cross Site Scripting and SQL Injection. As for SQL Injection, this can be mitigated against by using parameterized queries. It is the act of parameterizing the database queries that make stored procedures so resilient to attack. The other forms of script attack can be handled by downloading and using the Microsoft Anti-Cross Site Scripting Library in your Web application projects.

A best practise would consist of the use of this library in conjunction with proper data validation (validators) and filtering (regular expressions). If you have existing code which you know is vulnerable you can still use tools to inspect your code and then you can implement the necessary protection measures where needed.

Upvotes: 1

Related Questions