Return to HomePage

---

Example

Check: Security decisions do not rely on client-side validation

Applies To

* ASP.NET 2.0

Description

Do not rely on client-side validation. Use client-side validation in addition to server-side validation to reduce round trips to the server and to improve the user experience.

Why

Client-side validation can be bypassed. For example, a malicious user could disable your client-side script routines by disabling JavaScript.

How to Check

* Review your design to ensure there is not a reliance on client-side validation
* Review your code to ensure all sources of input are validated on the server before use
* Test your code by bypassing client side validation routines and pass input that would have been blocked by these routines.

How To Fix

Validate all input at the server. Validate for length, range, format and type.

See the following How Tos:
* How To: Protect From Injection Attacks in ASP.NET: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000003.asp
* How To: Protect From SQL Injection in ASP.NET: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000002.asp
* How To: Prevent Cross-Site Scripting in ASP.NET: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000004.asp
* How To: Use Regular Expressions to Constrain Input in ASP.NET: http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000001.asp

Problem Example

// Date parameter from user is passed directly to the database
string date = Request.Form"txtDate";
...
cmd.Parameters.Add( new SqlParameter( "date", date ) );
...

Solution Example

// Date parameter is validated
DateTime date;
if( !DateTime.Parse( Request.Form"txtDate", out date ) )
{

		      		throw new Exception( “Invalid format” );
	

}
if( date > date.AddYears( -1 ) )
{

		      		throw new Exception( “Use reports to get old orders” );
	

}
cmd.Parameters.Add( new SqlParameter( "date", date ) );}
...

Additional Resources

Related Items

---

Return to HomePage