ShankuN's Blog

Gotta say, personally I think this was a mistake - it was effectively a breaking change - which meant work (not much, but still work) on existing sites to get them to work again - and for many sites retesting was required to ensure they still worked correctly. It would have been nice if this had not been enabled by default but had been included in the page definition in VS.NET and / or the default web.config. This actually stopped a number of clients upgrading to 1.1 - they had been told that it was likely their site would break due to the upgrade...

I don't agree with Scott on that point. I like the approach of software products enforcing security for non-security aware people.

That being said, the only "mistake" that I think the ASP.NET team made was to not make this feature extensible by devs, that is to be able to plug-in your own validation logic. Having a "closed" validation meant from the very beginning that -sooner or later- someone could break it and the whole feature would become useless.

-VGA

To be honest yes, it does have it's value - but my point is that it was a clear breaking change - even if it is introduced as a 'feature' - many sites just failed to work properly after this was introduced. XSS attacks were also a fairly minor problem in the majority of cases (e.g., banks tend not to allow users to post data, most forums already feature some form of tag stripping). Other 'request' attacks such as SQL Injection are potentially more destructive attack - problem is a 'lazy programmer' (e.g., http://weblogs.asp.net/erobillard/articles/3801.aspx) will tend to think that when request validation is 'on' then all incoming data can be considered 'safe'.
Point is, I don't personally feel that the responsibility for securing an app can be 'delegated' to the framework - especially when as you point out, know flaws exist - these flaws wil exist in ALL apps using the function as their primary form of protection rather than just the few who used their own means.

I agreed with Scott. This stuff broke down most of the sites I have in production, and I was looking like a moron when I have to explain why. I disabled this feature globally from all the sites I managed.
.Net 1.1 supposed to be an upgrade to 1.0, not breaking everything. something that was missing the point totally was the fact that some code sent from a page could be totally valid. an example ? This very .Net weblogs, where I remembered the editing function didn't worked at all for few days ! Because like many developers and I, ,Text use n embedded HTML editor.
Yes it should be a great idea to provide something like this turned off by default.

I fail to sympathize with those who complain about this feature. The breaking change was documented and so was the fix. Only those who upgraded with no research were surprised by the change.
Adding the change to the web.config file is trivial at worst. No re-compile, you didn't even need to break out VS.Net to make the change, notepad would handle it with ease.

Shannon, correct, it was documented but it was added not as a bug fix / some ultra-necessary change - it's just to help out lazy developers, all the apps which any concientious developer has worked on already had this type of validation in place.
To document a breaking change is far easier than fixing it (many sys admins have very limited experience of .NET and will not change web.configs necessitating getting the developers to do the fix - which can cost a fair bit for some companies)

Scott, I'm not sure I understand. You are saying that the upgrade from v1.0 to v1.1 was done by a Sys Admin with no .NET experience who requires an outside developer to change a web.config file? And that the guy didn't check with the developer(s) before doing the upgrade?

Just like the developers who deployed v1.1 on their production servers without research or testing, the Sys Admin you mention above experienced what you might call a "learning opportunity".

Yeah, I think this is a great feature for most, but I know here at Match.com we had issues with this in a web farm environment. We couldn't guarantee that we would be on the same server on the subsequent postback, so we quickly got flooded with these request validation errors, so had to quickly disable it across the site and take other measures to protect ourselves against this.

Though, I'd love to know if perhaps we needed to do something differently in our scenario, or if it's since been improved.

just for the record, I am not a fan of request validation at all. It is too stringent and lacks the control that I would like.

It is always a difficult tradeoff when you lock down functionality to create a more secure default. People who were using ASP.NET 1.0 before its release will surely remember what happened when we switched the default to run as the ASPNET user instead of the system account.

What we found was that many ASP.NET sites were suffering from problems in cross-site scripting, and many were not even aware of it. The change we made was intended to create a default that was safer. It was not intended to be a magic bullet people rely on to protect themselves, but a safety net for people who don't. It's also why we didn't make the feature very extensible, because we thought that people who wanted to do their own custom protection could easily write their own code in global.asax.

One thing we did learn is that it is painful to force sites to migrate from one version to another by default when installing, especially since there are so many ways people can install a new version on their system. In 2.0, we're planning to change the default to not migrate on install, and we're also adding UI to the IIS MMC tool to make it easy to change versions for individual apps. We'll also have a migration guide that shows people what to check out when migrating.

For Scott: Agreed, SQL injection is definitely a bigger problem. Although we can't easily protect against it automatically, we do have whitepapers and presentations that recommend how to avoid this by using programmatic parameterization. The new data controls we have in Whidbey will make this a lot easier too, by eliminating a lot of the code you have to write to create SQL queries for databinding today.

For Jason: I'd be curious to know how a web farm environment would have broken due to this feature, since it should not have any web farm dependencies. We did make additional changes to secure ASP.NET - to lock down forms auth, for example - but I'd love to hear what had broken, and how you had to fix it.

I respect the opinions of all writers comments above and having explored this issue in detail in DotNetNuke, I would like to offer my own perspective...

The requestValidation works at the Application or Page level to mitigate the chance of cross-site scripting attacks. Under the covers, I suspect it sniffs the Request stream for <script> tags and throws an error message if they exist ( apologies for my simplistic description of a potentially much more elaborate implementation ).

I suppose this works for some sites, but for sites using a common container ASPX page which inject User Controls dynamically ( ie. a portal ), this level of granularity is not enough. This is mostly related to User Controls where you actually want to permit the end user to enter HTML markup ( ie. a content editor ). Since requestValidation is an all or nothing proposition at the page level - it can not be used in this case.

In my case I explored the concept of enabling page level requestValidation by default and having a metadata flag for User Controls which allow for entry of HTML markup. If they were injected into the page then the requestValidation would become disabled. The problem is that there may be other User Controls on the same page which would then exposed to XSS.

Looking at requestValidation from a higher level, made me think of the use cases where it actually applies. If I review the entire collection of base ASP.NET web controls, I only find one which allows for free form user input - the TextBox control ( thats not saying that a hacker couldn't programmatically alter the Request object but it requires a much higher degree of sophistication ).

So my suggestion has 2 parts:

1. Expose a framework function called VerifyXSS(String) As Boolean which provides cross site scripting validation to the developer. You may even want to provide an Override where the developer could pass in an exclusion list of HTML tags.

2. Add a property to the TextBox control called VerifyXSS which defaults to True. Then when a developer retrieves the TextBox.Text value the underlying control code checks the value of the VerifyXSS property and either performs the validation or not. This provides the developer with the ability to disable the VerifyXSS at the control level which provides a higher degree of granularity.

I think that this solution would still show due diligence on the part of Microsoft in respect to XSS. Plus it provides backward compatibility and more granularity for the developer. The behaviour of applications and third party rich text editors would not be affected.

If I am missing the larger point, I apologize in advance - but I think this topic could use some constructive suggestions rather than pure criticism.

^_^,Pretty Good!

Just use this as a regular expression validator and restrict  the user so If they enter the html tag then shown an error.

Regular expression is  ^[^<^>]*$

Thanks

haha

Pingback from  ASP.NET keeps forcing us to restart IIS | keyongtech

Other than his superiority in the Iowa Classless caucuses, no more willingly than you can say 'jack robinson' catalyzed Barack Obama's historic presidential tournament more than conquering the help of <a href=www.scam.com/member.php color=Black>where to get tamiflu</font></a> Sen. Edward M. Kennedy.

At a Jan. 28, 2008 convocation at American University in Washington, the then 75-year-old revisionist warrior from Massachusetts forcefully rejected arguments that Obama was uninitiated and not amiable to go basic the realm, and drew parallels to the below breaking stump his about with waged in 1960.

The address at once firmed up Obama's bona fides with unions, Latinos and older citizens and dealt a staggering heighten to the presidential hopes of his chief commencement oppose, Hillary Rodham Clinton.

MARTINEZ, Calif. – The Contra Costa County sheriff says a neighbor reported a backyard encampment at the frequent of a squire suspected of holding a kidnapped housemaid caged in rank of 18 years, but the investigating bigwig dismissed it as a run-of-the-mill cipher violation.

Sheriff Warren E. Rupf (ROOP) said Friday <a href=www.trainingpeaks.com/.../thread-view.asp color=Black>buy tamiflu</font></a> the spokesman who inspected Phillip Garrido's yard in November 2006 did not skilled in Garrido was a registered procreant congress crook, flush hushed the Sheriff's Subdivision had the information.

Paragon September, Federal Taciturnity Chairman Ben <a href=www.kaboodle.com/annietami><font color=Black>where to buy flu</font></a> Bernanke and then-Treasury Secretary Henry Paulson pressed congressional leaders someone is concerned legislation authorizing a $700 billion monetary bailout of some of the political entity's largest money institutions, which were in liable to be of collapsing. The charge was signed into law in October.

What are you thoughtful thither swine flu therapy? Some flu vaccine, like <a href=wiki.pylonshq.com/.../~buy-tamiflu>buy tamiflu</a>

seems to oeuvre good, but i'm startled anytime...

I currently use AT&T as my service provider and don't have a data plan. If I purchase one will I be able to receive internet access on my Iphone?

________________

<a href=unlockiphone22.com/>unlock iphone 3gs 3.1.2</a>

Good evening. You can't wait for inspiration. You have to go after it with a club. Help me! Please help find sites for: Breitling versus omega watch review. I found only this - <a href="www.4ka.mipt.ru/.../BreitlingWatches">breitling watch official web site</a>. Harmless dials applied and way read, breitling watches. Watch falls heavily between bar and watch in buildings of new children, as it is intended up of a cane of appliances, breitling watches. With best wishes ;-), Meriel from Serbia.

It was extremely interesting for me to read the article. Thanks for it. I like such topics and anything that is connected to them. I would like to read a bit more soon. BTW, pretty nice design your site has, but how about changing it every few months?

Sara Pingtown

<a href="reusablecoffeefilter.info/">reusable coffee filter</a>

DUBLIN (Reuters) – The Irish <a href=http://www.redcarpetflorist.com>Los Angeles Flower Deliver</a> Aviation Authorization said it would turn a blind eye to flights to pick up where a specific left side off from all Irish airports from 1200 GMT on Tuesday but volcanic ash could bring on on more disruptions later in the week and periodically throughout the summer.

The IAA had closed airports from 0600 GMT until 1200 GMT due to wager of ash ingestion in aircraft engines, although overflights of Ireland from Britain and continental Europe had not been banned.

What do you think about adding some more pics?  No offence, content is really great. Just according to the scientists visitors acquire info much more efficient when there are some helpful pictures.

Nency Tayfon

It is extremely interesting for me to read that post. Thanks for it. I like such themes and anything connected to them. I would like to read more on this site soon.

Hilary Smith

Rather good post to read it to my thinking. By the way, why don't you place this article to social bookmarking sites? This can bring a lot of traffic to this article.

Rather cool post to track it in my opinion. BTW, why don't you place it to social bookmarks? This should bring pretty big traffic here.

It is extremely interesting for me to read this post. Thanks for it. I like such themes and everything that is connected to this matter. I definitely want to read a bit more soon.

Kate Swenson

Pretty nice blog you've got here. Thanks the author for it. I like such themes and everything connected to them. I definitely want to read more on that blog soon.

Bella Hakkinen

It is extremely interesting for me to read that article. Thanks for it. I like such topics and anything that is connected to this matter. I definitely want to read more soon.

Julia Smith

<a href="nycescort.org/">escort in nyc</a>

Rather nice site you've got here. Thanx for it. I like such themes and anything connected to this matter. I would like to read a bit more soon.

Anete Smith

<a href="escorttweets.com/">east london escort</a>

Rather nice place you've got here. Thanks for it. I like such topics and anything that is connected to this matter. I definitely want to read a bit more on that blog soon.

Avril Hakkinen

<a href="kievcityescort.com/">escort service kiev</a>

I would like to read a bit more soon. BTW, rather good design you have here, but don’t you think design should be changed every few months?

Who can comprehend and say what goods are sold on this plat: <a href=http://mosurfcobbder.chez.com> see here</a>

Thanks for the treatment of waiting!

http://mordijiew.us

Wow, pretty cool information. How can I get your RSS?

Natasha  Swift

<a href="www.wirelesscameradetectors.com/">rf bug detectors</a>

It was certainly interesting for me to read the blog. Thanx for it. I like such topics and everything that is connected to this matter. I definitely want to read more on that blog soon.

Don't you think design should be changed from time to time?

Julia Hakkinen

<a href="monacoescort.com/">massage monaco</a>

Great content. Waiting for you to continue the topic.    

Anete Simpson  

<a href="westsideescort.com/">escorts in north west london</a>

Nice article. Keep posting that way.  

Anete Smith    

<a href="parisescort.info/">paris france escorts</a>

It was extremely interesting for me to read this article. Thanks for it. I like such topics and anything connected to this matter. I would like to read more on that blog soon.

Avril Swenson

<a href="rome-escort.info/">annunci escorts roma</a>

Impressive post. Ready to read more.  

Julia Kuree    

<a href="mexicoescorts.biz/">escorts in new mexico</a>

SGFAFASDFSDAF

SDFSD

AASD

FASDF

ASD

SDAF

SDAFD

SAFSD

AFSDA

SDA

SDD

D

A

D

DSA

DSFSD

AD

ASD

SDF

SDF

SDFSDF

SDF

SDF

SDF

SDF

SDF

SDF

SDF

SDF

SDF

SDF

SD

SDF

DFS

DFS

DF

FD

DF

DF

D

FD

DF

DF

DF

DF

DF

D

D

S

SFDSFSDFS

ASD

FASD

ASDF

ASD

FASDF

ASDF

ASDF

Rather nice place you've got here. Thanks for it. I like such topics and everything that is connected to this matter. I would like to read more on that blog soon.

Julia Simpson

<a href="kolkataescort.com/">call girl in kolkata</a>

Cool text. Ready to read more.    

Avril Benedict      

<a href="kievcityescort.com/">escorts in ukraine</a>

Pretty interesting blog you've got here. Thanks for it. I like such topics and anything connected to them. I definitely want to read more on that blog soon.  

Kate Smith  

<a href="nyescorts.net/">independent escorts new york</a>