Scott Hanselman

My day: Back-porting Input Validation from ASP.NET 1.1 to ASP.NET 1.0

August 8, '03 Comments [1] Posted in Web Services | ASP.NET | Javascript | HttpModule
Sponsored By

I don't know if this qualifies as evil, stupid, both, or neither, but here's a story. 

Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly.  We are very security focused here and javascript injection attacks are always a problem.  The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks. 

So, what to do?  Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule.  I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.

Again, may be evil, but felt so good.   When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:

<httpModules>
    <add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10"
/>
</httpModules>

A couple of interesting questions came up, one of which was...

A while loop is expanded when compiling IL, and the C# equivalent is something like this:

goto L_0045;
L_0040:
   index = (index + 1);
L_0045:
if (index >= len)
{
  
goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
  
goto L_0040;
}
L_005E:

Should I (for tidying up's sake) roll it back up to something like this:

//Programmer intent: look for non-alphas...
while (index < len)
{
  if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
    
break;
  index++;
}

or just leave well-enough (and well-equivalent) alone?  Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by ORCS Web
Monday, August 11, 2003 4:32:57 PM UTC
I'm with you on not touching if it works.
Sergio Pereira
Comments are closed.

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.