Request Validation flaw

Posted Wednesday, November 12, 2003 6:44 PM by G Andrew Duthie

I've long been a big proponent of the new Request Validation feature of ASP.NET v1.1 as a first level of defense against cross-site scripting attacks on your web applications, and have advocated leaving this feature enabled (it's on by default) unless you explicitly provide filtering and/or HTML encoding of all input to your application.

Well, a flaw has been reported in the implementation of this feature, such that it can be bypassed by specially malformed tags. The report was brought to my attention by a post from Kirk Allen Evans, who saw it on a Developmentor list. Since I've been a vocal advocate of the use of this feature, I thought it important to note the flaw.

One of the things that this highlights is that RequestValidation should only be considered (as I mention above) a first line of defense, not a complete security solution. As Scott Guthrie and others have consistently recommended, you should always HTML encode any and all text input that you accept from users that will (or may) be stored and/or displayed later. You should also consider using regular expressions (in conjunction with the RegularExpressionValidator control) to limit input to solely those characters or character sequences that are appropriate for any given input field. Taking such a multilevel approach to processing input can help protect you from a flaw in any single input filtering technique.

A fix for this flaw is available, and was made available as part of the ASP.NET 1.1 June 2003 Hotfix Rollup Package. Unfortunately, it appears that that rollup can only be obtained by contacting Product Support Services. However, a later rollup that also includes this fix can be downloaded from Microsoft. Note that hotfixes generally have not undergone the same level of testing as official patches, so if you are not directly affected by this (if your applications do not accept input, or if you've already got input filtering in place), you may want to wait for the next service pack for the .NET Framework, which will include this fix.

Bottom line is that although a fix is available for this flaw, you should always treat input appropriately, regardless of any built-in features. This means always providing your own filtering and/or (preferably and) encoding of input your application accepts.

Filed under:

Comments

# ASP.NET 1.1 Request Validation flaw

Wednesday, November 12, 2003 9:11 PM by TrackBack

# re: Request Validation flaw

Thursday, November 13, 2003 12:27 AM by Scott

Interesting, are there any offical distribution points for hotfixes?

Trackback? I'm not sure how this trackback stuff works. I'm too old skool yo.
http://www.lazycoder.com/article.php?story=2003111300015293

# re: Request Validation flaw

Thursday, November 13, 2003 12:49 AM by G. Andrew Duthie

Well, the link that I posted for the later rollup:

http://support.microsoft.com/default.aspx?scid=kb;en-us;824629

is an official Microsoft KB article, so I'm not sure how much more official you can get. What exactly are you looking for?

# re: Request Validation flaw

Thursday, November 13, 2003 12:58 PM by Scott

Well I'm subscribed to the ASP.NET RSS feed and I haven't seen anything come accross that talks about this hotfix or the other download.

I misstated when I said "official", I meant "one-stop shopping" like windowsupdate.microsoft.com is for the platform. It would be nice if I could automatically check for ASP.NET updates, especially security related ones, and have a service notify my system admins that one is available.

# re: Request Validation flaw

Thursday, November 13, 2003 1:56 PM by G. Andrew Duthie

Scott, I believe the reason that this isn't more heavily publicized is because right now the fix is only classified as a hotfix, and hotfixes haven't been as heavily regression tested. OTOH, I agree that more people should know about it, which is why I'm publicizing it here. People do, however, need to evaluate for themselves the risk associated with the flaw versus the potential risk of a hotfix causing an unrelated problem, which is not unheard of. As I said above, those who want a more stable solution should wait for the next service pack for the fix.

As long as you're using good filtering and encoding practices, this flaw will not really effect you. Another reason to spread the word about proper input processing!

# ASP.NET ValidateRequest security flaw

Thursday, November 13, 2003 9:44 PM by TrackBack

# re: The Lazy Programmer

Sunday, January 18, 2004 9:10 PM by TrackBack

# re: Cross-Site Scripting (XSS) Bug in ASP.NET 1.1

Wednesday, February 04, 2004 8:18 PM by TrackBack

# re: Request Validation flaw

Tuesday, February 10, 2004 4:04 AM by stefan demetz

http://dotnetjunkies.com/weblog/stefandemetz/posts/6748.aspx
http://dotnetjunkies.com/weblog/stefandemetz/posts/6530.aspx

# re: ASP.NET 1.1 provides auto-protection from scripting attacks

Sunday, February 29, 2004 1:51 PM by TrackBack

# ASP.NET Request Validation and Cross-Site Scripting

Tuesday, March 02, 2004 5:36 AM by TrackBack

# ASP.NET Request Validation and Cross-Site Scripting

Tuesday, March 02, 2004 5:38 AM by TrackBack

# Security through Diversity - why I don't like ValidateRequest

Tuesday, March 02, 2004 10:10 AM by TrackBack

# re: Request Validation flaw

Tuesday, March 02, 2004 1:19 PM by G. Andrew Duthie

To my anonymous poster,

If you'd like to post something more substantive, I'll leave your comment up, but my blog isn't the place for anonymous profanity, so I've deleted your recent comment.

# CJ » Blog Archive » ASP.NET XSS Security

Friday, June 16, 2006 11:32 PM by CJ » Blog Archive » ASP.NET XSS Security

PingBack from http://claytonj.wordpress.com/2006/06/17/aspnet-xss-security/

# re: Request Validation flaw

Wednesday, May 23, 2007 8:06 PM by MaryJames

Hello  all

How I can change avatar in this forum?

# re: Request Validation flaw

Saturday, June 16, 2007 3:51 PM by Bush

You have a nice site.

<a href="replicawatchesdiscount.info/.../imitation-rolex-watches.php">imitation rolex watches</a>

replicawatchesdiscount.info/.../how-to-tell-what-year-a-rolex-watch-is.php

<a href="replicawatchesdiscount.info/.../used-rolex-watches-for-sale.php">used rolex watches for sale</a>

<a href="replicawatchesdiscount.info/.../replica-watch-reviews.php">replica watch reviews</a>

<a href="replicawatchesdiscount.info/.../rolex-cellini-celiissima-watch-straps.php">rolex cellini celiissima watch straps</a>

replicawatchesdiscount.info/.../rolex-watches-singapore.php

replicawatchesdiscount.info/.../rolex-watch-movements-eta.php

<a href="replicawatchesdiscount.info/.../replica-rolex-forum.php">replica rolex forum</a>

replicawatchesdiscount.info/.../rolex-watch-catalogs.php

<a href="replicawatchesdiscount.info/.../jacobs-watch-replica.php">jacobs watch replica</a>

<a href="replicawatchesdiscount.info/.../chanel-replica-watch.php">chanel replica watch</a>

replicawatchesdiscount.info/.../24-insurance-life-replica-rolex-settlement-watch.php

<a href="replicawatchesdiscount.info/.../cheap-replica-rolex-watch.php">cheap replica rolex watch</a>

<a href="replicawatchesdiscount.info/.../cartier-replica-tank-watch.php">cartier replica tank watch</a>

replicawatchesdiscount.info/.../gold-rolex-replica.php

# Intel?? Software Network Blogs &raquo; Blog Archive &raquo; Hacking Intel - XSS Security exploit with ASP.Net using .RewritePath and Request.RawUrl bypassing ASP.Net native script protection

Tuesday, September 25, 2007 6:09 PM by Intel?? Software Network Blogs » Blog Archive » Hacking Intel - XSS Security exploit with ASP.Net using .RewritePath and Request.RawUrl bypassing ASP.Net native script protection

Pingback from  Intel?? Software Network Blogs  &raquo; Blog Archive   &raquo; Hacking Intel - XSS Security exploit with ASP.Net using .RewritePath and Request.RawUrl bypassing ASP.Net native script protection

# Intel?? Software Network Blogs &raquo; Blog Archive &raquo; Hacking Intel - XSS Security exploit with ASP.Net using.RewritePath and Request.RawUrl bypassing ASP.Net native scriptprotection

Friday, October 19, 2007 7:03 PM by Intel?? Software Network Blogs » Blog Archive » Hacking Intel - XSS Security exploit with ASP.Net using.RewritePath and Request.RawUrl bypassing ASP.Net native scriptprotection

Pingback from  Intel?? Software Network Blogs  &raquo; Blog Archive   &raquo; Hacking Intel - XSS Security exploit with ASP.Net using.RewritePath and Request.RawUrl bypassing ASP.Net native scriptprotection

# re: Request Validation flaw

Thursday, March 20, 2008 5:28 AM by BeermaBlofe

Snx for you job!

It has very much helped me!

# re: Request Validation flaw

Saturday, January 17, 2009 9:50 AM by busrider

eFront-Интернет магазин Бытовой и компьютерной техники www.e-front.com.ua

# re: Request Validation flaw

Wednesday, June 10, 2009 6:42 PM by gas powered scooters

Very nice extremely cheap gas powered scooters

www.world66.com/.../gas_powered_scoote

# re: Request Validation flaw

Wednesday, July 29, 2009 11:45 AM by name

I like it so much,

# re: Request Validation flaw

Thursday, July 30, 2009 8:13 AM by name

It is a very good thing,

# re: Request Validation flaw

Wednesday, August 05, 2009 7:48 AM by Mcbott

<a href=groups.yahoo.com/.../Which_Stars_Smoke_Cigarettes>Which Stars Smoke Cigarettes</a>

I never had to choose a subject - my subject rather chose me.

coolserg9981

# re: Request Validation flaw

Wednesday, August 05, 2009 9:55 AM by Laface

<a href=www.hi5.com/.../4304409--New+York+male+massage--front-html>New York male massage</a>  Every act of will is an act of self-limitation   coolserg9981

# re: Request Validation flaw

Wednesday, October 28, 2009 11:13 AM by MarkRight

Interesting post you got here. It would be great to read a bit more concerning that topic.

# re: Request Validation flaw

Saturday, October 31, 2009 1:29 PM by Jim

I almost forgot, the only way to protect yourself from spy gadgets and annoying calls is to use <a href="www.jammer-store.com/.../a>. Block cell phones around you.

Leave a Comment

(required) 
(required) 
(optional)
(required)