Friday, February 06, 2004 - Posts

Hardening ASP.NET - ASP.NET querystring parameter tampering - Part 3

Parameter tampering:

UPDATE!!! possible solution:

secure Querystring
http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik
http://www.dotnetjunkies.com/Forums/ShowForum.aspx?forumid=4922

Vote here and here on MSDN  to have this functionality included in ASP.NET

From my quick and preliminary investigation of URLSCAN today I found out that the QueryString part of the url is not protected

To alleviate this issue of GET parameter tampering in ASP.NET I wrote up a little code with does the following:

- get the QueryString part of the URL
- decode it (HtmlDecode)
- parse out all the bad input
- limit the length of the queryString to minimum necessary

Since the HttpRequest class is sealed/not inheritable there are 3 ways to do it:

1) Write HttpHandler to deal with it
2) Extend Page class and set this functionality in prerender event
3) Write your own ISAPI handler in unmanaged code

I put one item on my personal .NET wishlist

 

posted Friday, February 06, 2004 9:31 PM by stefandemetz with 18 Comments

.NET wishlist Issue 3

Please unseal HttpRequest class to allow integration of a HttpRequest validation engine
posted Friday, February 06, 2004 9:27 PM by stefandemetz with 1 Comments

Harden ASP.NET - avoid SQL injection (ouch !!) - Part 2 (continued)

Robert Hulbut and I are having a nice conversation abount how to harden ASP.NET and about various DBs having the same issue and my solution to it

posted Friday, February 06, 2004 9:25 PM by stefandemetz with 0 Comments