requestobjectscopingcode2

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to HomePage



Scoping Data Retrieval from the Request Object (VB.NET)


Applies to

* ASP.NET 2.0
* VB.NET

Summary

The purpose of this code snippet is to illustrate how to securely scope calls to the ASP.NET Request object when retrieving user input data. Secure scoping of the Request object ensures that input used by the application is obtained from the intended source.



Objectives

* Protect against potential data input attacks through specific designation of data source
* Make use of additional HTTP request data not normally captured within ASP.NET objects


Scenarios

* In conjunction with ViewState encryption and integrity checks to protect against user tampering of CGI data
* Application obtains user input as CGI data directly from the Request object instead of from server-side variables
* Application makes use of client certificates for user identity management and/or authentication
* Application makes use of data from HTTP headers

Solution Example

Several methods for obtaining Request object data follow:

Function GetQueryStringData(ByVal Request As HttpRequest, ByVal arg As String) As String
		    		' Obtain input passed using HTTP GET
		    		[Return(Request.QueryString(arg))]
End Function

Function GetPostData(ByVal Request As HttpRequest, ByVal arg As String) As String
		    		' Obtain input passed using HTTP POST
		    		Return(Request.Form(arg))
End Function

Function GetHTTPCookie(ByVal Request As HttpRequest, ByVal arg As String) As HttpCookie
		    		' Obtain input passed as an HTTP Cookie
		    		Return(Request.Cookies(arg))
End Function

Function GetClientCertData(ByVal Request As HttpRequest, ByVal attr As String) As String
		    		' Obtain a server variable or HTTP Request Header, such as Content Length
		    		[Return(Request.ServerVariables(attr))]
End Function

Function GetEnvData(ByVal Request As HttpRequest, ByVal arg As String) As String
		    		' Obtain a server variable or HTTP Request Header, such as Content Length
		    		[Return(Request.ServerVariables(arg))]
End Function


Problem Example

The following example demonstrates an unscoped call to the Request object to obtain user input.

Dim data As String = Request("argname")

* If the application anticipates input to be passed from POST data, specifying 'argname' in the query string will result in GET data being retrieved by the application in place of the expected POST data.


Test Case

The following classes must be included in any project making use of the sample code provided above:

Imports System.Web

An example ASP.NET aspx test page is provided below for use with the methods defined above.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script language="VB" runat="server">
		    		Protected Sub Page_Load(ByVal sender As Object, [ByVal] e As [EventArgs)]
		        		Dim [sUserText] As String =  GetQueryStringData(Request,"TextBox") 
		        		[sUserText] = [sUserText.Trim()]
		        		Dim wordPattern As [System.Text.RegularExpressions.Regex] =  New 		System.Text.RegularExpressions.Regex("[A-Za-z0-9]*") 
		        		If [wordPattern.IsMatch(sUserText)] Then
		            		Me.myLabel.Text = [Server.HtmlEncode(sUserText)]
		        		End If
		    	End Sub
</script>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head id="Head1" runat="server">
		    		<title>Request Object Example</title>
</head>
<body>
		    		<form id="form1" method="Get" runat="server">
		    		<div>
		        		<input type="text" name="TextBox"/>&nbsp;<br/><br/>
		        		<asp:Label ID="myLabel" runat="server" Text="Insert Text Above to See 	Here"></asp:Label><br/><br/>
		        		<input type="submit" name="textButton" value="Submit"/>    
		    	</div>
		    	</form>
</body>
</html>


Expected Result

N/A (dependent upon input)



More Information

The data returned by Request('var') can come from any of the following ources, in the order listed.
* Query String
* Form
* Cookies
* Client Certificate
* Server Variables/HTTP Headers


Additional Resources

* Request Object (ASP.NET): http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iissdk/html/54d9972a-b6cd-4672-b62a-8793ce8ad335.asp
* Parameter Manipulation (ASP.NET): http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGGuidelines0001.asp?frame=true#pagguidelines0001_parametermanipulation


Attributes

* Applies To: .NET Framework 2.0, VB
* Category: Data Validation
* Author: Jonathan Bailey


Return to HomePage
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities