requestobjectscopingcode

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to HomePage


Scoping Data Retrieval from the Request Object (C#)


Applies To

* ASP.NET 2.0
* C#

Summary

The purpose of this code snippet is to illustrate how to securely scope calls to the ASP.NET Request object when retrieving user input data. Secure scoping of the Request object ensures that input used by the application is obtained from the intended source.


Objectives

* Protect against potential data input attacks through specific designation of data source
* Make use of additional HTTP request data not normally captured within ASP.NET objects


Scenarios

* In conjunction with ViewState encryption and integrity checks to protect against user tampering of CGI data
* Application obtains user input as CGI data directly from the Request object instead of from server-side variables
* Application makes use of client certificates for user identity management and/or authentication
* Application makes use of data from HTTP headers

Solution Example

Several methods for obtaining Request object data follow:

public static string GetQueryStringData(HttpRequest Request, string arg)
{
		    		// Obtain input passed using HTTP GET
		    		return(Request.QueryString[arg]);
}

public static string GetPostData(HttpRequest Request, string arg)
{
		    		// Obtain input passed using HTTP POST
		    		return(Request.Form[arg]);
}

public static HttpCookie GetHTTPCookie(HttpRequest Request, string arg)
{
		    		// Obtain input passed as an HTTP Cookie
		    		return(Request.Cookies[arg]);
}

public static string GetClientCertData(HttpRequest Request, string attr)
{
		    		// Obtain a server variable or HTTP Request Header, such as Content Length
		    		return(Request.ServerVariables[attr]);
}

public static string GetEnvData(HttpRequest Request, string arg)
{
		    		// Obtain a server variable or HTTP Request Header, such as Content Length
		    		return(Request.ServerVariables[arg]);
}


Problem Example

The following example demonstrates an unscoped call to the Request object to obtain user input.

string data = Request'argname';

* If the application anticipates input to be passed from POST data, specifying 'argname' in the query string will result in GET data being retrieved by the application in place of the expected POST data.


Test Case

The following classes must be included in any project making use of the sample code provided above:

using System.Web;

An example ASP.NET aspx test page is provided below for use with the methods defined above.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script language="C#" runat="server">
		    	protected void Page_Load(object sender, [EventArgs] e)
		    	{
		        		string [sUserText] = [GetQueryStringData(Request,] "TextBox");
		        		[sUserText] = [sUserText.Trim();]
		       		 [System.Text.RegularExpressions.Regex] wordPattern = new System.Text.RegularExpressions.Regex("[A-Za-z0-9]*");
		        	if [(wordPattern.IsMatch(sUserText))]
		        	{
		            	this.myLabel.Text = [Server.HtmlEncode(sUserText);]
		        	}
		    	}
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
		    		<title>Request Object Example</title>
</head>
<body>
		    		<form id="form1" method="Get" runat="server">
		    		<div>
		        		<input type="text" name="TextBox"/>&nbsp;<br/><br/>
		        		<asp:Label ID="myLabel" runat="server" Text="Insert Text Above to See Here"></asp:Label><br/><br/>
		        		<input type="submit" name="textButton" value="Submit"/>    
		    		</div>
		    		</form>
</body>
</html>


Expected Result

N/A (dependent upon input)



More Information

The data returned by Request('var') can come from any of the following sources, in the order listed.
* Query String
* Form
* Cookies
* Client Certificate
* Server Variables/HTTP Headers


Additional Resources

* Request Object (ASP.NET): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/54d9972a-b6cd-4672-b62a-8793ce8ad335.asp
* Parameter Manipulation (ASP.NET): http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0001.asp?frame=true#pagguidelines0001_parametermanipulation


Attributes

* Applies To: .NET Framework 2.0, C#
* Category: Data Validation
* Author: Jonathan Bailey



Return to HomePage
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities