Franc Stratton's .NET (TM) Web Application, OOP, and SOA Architecture & Programming Site

A site devoted to ASP.NET (TM), SilverLight (TM) and Browser-Based WPF (TM) Applications, IIS Services, and OOP Architectures
Home     Architecture Overview     WF/WCF/WPF     Data Store     Standards     .NET Security     Resources     jQuery     Silverlight     Developer Tips     Blog     Site Map      
Input validation
Authentication
Forms Authentication
Authorization
Configuration Mgt
Sensitive Data
Session Mgt
Cryptography
Parameters
Exception Mgt
Auditing/Logging
SQL Injection
Cross-site Scripting
String Validation
String Validation to Prevent Malicious Input with ASP.NET

In the following ASP.NET 3.5 page, the multi-line textbox accepts user input strings of up to 1000 numbers and characters separated by semi-colons. In order to prevent malicious input, validate the string at the page level using ASP.NET JavaScript validators, and perform a second check in the domain Business Logic Layer (BLL) for the application.
 
 
The first security point to cover is to limit the input to the textbox by setting the property “MaxLength” to 1000 characters to prevent overrun:
 
 
The next security measure is to add a JavaScript regular expression validator to the page and put a regular expression that allows only lower and upper case characters, numbers, and semi-colons to guarantee that the values in the control match a specified expression:
 
 
Notice that the textbox control is the “ControlToValidate”, the “ValidationExpression” is “^[a-zA-Z0-9^;]+$”, and the “ErrorMessage” property is “Invalid Entry!.”
In the code-behind for the page button click event, the program checks the “Page.IsValid” property for a false value set by “RegularExpressionValidator1” if an unwanted character is in the user string:
///---------------------------------------------------------------------------
///
/// Method Name: btnAddAll_Click
/// Description: Calls the ParseAndRetrieveUsers Method if all criteria met.
///
///
/// sender
/// e
///---------------------------------------------------------------------------
protected void btnAddAll_Click(object sender, EventArgs e)
{
    if (Page.IsValid)

If the “Page.IsValid” property is false, then the validator instantly displays “Invalid Entry!” in red to the user preventing a server postback of viewstate. This best-practice action conserves network bandwidth and server CPU cycles with unnecessary ASP.NET postbacks.
The program code then checks for an empty string and a minimum 8 character length value, and it further verifies that a semi-colon has been used:
if (this.txtUserIDList.Text.Trim() != string.Empty || this.txtUserIDList.Text.Trim().Length < 8)
{
    if (this.txtUserIDList.Text.IndexOf(";", 0) != -1)
{

Finally, the program validation provides a second BLL validation to prevent a really good hacker from bypassing the JavaScript validator and sending malicious code to the server and perhaps to the database. The programmer instantiates the domain BLL, and calls a Boolean method with the same regular expression as a secondary security wall for the malicious hack:

UserImportBLL uiBLL = new UserImportBLL();
if (uiBLL.ValidateText(this.txtUserIDList.Text.Trim()) == true)

The code in the domain BLL is:

///
/// Method Name: ValidateText
/// Description: Calls the Abstract Base BLL method,
/// passes it a regular expression, compares the text string to
/// the regular express, and returns a true or false.
///
///
/// True if okay, and false if not
public bool ValidateText(string text)
{
    if (DHS.AppBase.BLL.ValidateItem("^[a-zA-Z0-9^;]+$", text) == true)
    {
        return true;
    }
    else
    {
        return false;
    }
}

Since this is such a commonly needed validation method, all domain BLL classes are derived from the abstract base BLL class that contains many common methods needed across many ASP.NET applications. The domain BLL method encapsulates the abstract base class method so that if the base BLL method regular expression methods change with a new update from Microsoft, only the base BLL class needs to be updated. The abstract base BLL class item validation method is:
//---------------------------------------------------------------------------
///
/// Method Name: ValidateItem
/// Description: Pass in strings to validate with regex for comparison
/// true or false
///
/// Regular expression
/// string to validate against regex
/// true or false
///---------------------------------------------------------------------------
public static bool ValidateItem(string regex, string value)
{
    if (regex != null && value != null && regex.Trim().Length != 0 && value.Trim().Length != 0)
    {
         Regex rx = new Regex(regex);
         return rx.IsMatch(value);
    }
    else
    {
        throw new ArgumentException("Parameters may not be null or empty.");
    }
}