XSS Prevention – Request Validation

Out of the box ASP.NET request validation will check for potentially dangerous input in cookies, url query string or posted form values. If any javascript or html is detected the validation will respond with “potentially dangerous input was detected”. This is the first line of defence. Of course in some cases you may wish to allow input that includes html etc. For instance a customer may want the functionality to add web content. Your first reaction should be to challenge the request as it is obviously adding a risk and see if another solution can be found.

If you do want to change the web application to accept html then the first step is tell the request validation that it is optional and not mandatory. You can do this via the following web.config setting

<httpRuntime requestValidationMode=”2.0″ />

The next step is to define the exceptions that allow html to passed in. There are different levels these exceptions can be defined at. The most open is at the action level. If any action is set up as below with [ValidateInput(false)]none of the input in MyModel will not be validated.

public ActionResult Save(MyModel model)

Next level is at property level

public string MyProperty { get; set; }

The request validation is a useful first line of defense and it can if required be turned off for particular actions or better particular properties. However does the developer imlementing this understand the hole they have just punched in the security of the site?

In terms of advice on how to validate the input yourself it is extremely difficult to validate with many different tricks to bypass filters. The general advice is to whitelist rather than backlist.

Regarding request validation and considering turning it off in certain circumstances, I would suugest

1) Dont turn it off if at all possible – is there another solution?

2) Can you use an editor instead, such as MarkDown

3) If you must turn it off apply the exception to the valdiation property by property as oppose to action by action. Then validate the input yourself.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s