Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities

Well defined set of search patterns helps significantly reduce time (cost) when performing security code inspections. This post focuses on input validation vulnerabilities commonly found in ASP.NET web applications.

SQL Injection and Cross Site Scripting (XSS) String search patterns

SQL Injections and XSS attacks are most common that exploit improper data access and lack of output encoding. Following are the how-to’s on finding these vulnerabilities:

Input Validation vulnerabilities String Search Patterns

To search and find security vulnerabilities you start asking questions or better yet create a list of the questions. Here is the example how - Generate Your Own Security Code Review Checklist Document Using Outlook 2007.

Use search utility similar to FindStr to perform your searches (look at Performing Text Searches). When Visual Studio is available then you can use it - Visual Studio 2005 As General Code Search Tool. Any other search tool is just fine. Following are the most common questions and search patterns.

  • Does the code rely on client-side validation?

If the code does not use Validators or Regex there is a potential vulnerability. Review each control how it is validated for type, length, range, string format. In the searches I assume there is no inline code and developers use code behind technique to separate markup from code.

ASP.NET pages

findstr /S /I ".Validator" *.aspx

User Controls

findstr /S /I ".Validator" *.ascx

Source code

findstr /S /I "Regex" *.cs

  • Is the code susceptible to canonicalization attacks?

Review that there is no external input involved in building paths and file names.

findstr /S /I “File" *.cs

findstr /S /I “Path" *.cs

  • Does the code validate data from all sources?

Using Cookies and QueryStrings poses a risk of the tampering threat (review STRIDE Explained to understand threats). If there is a use of Params property there is a chance for CSRF attack - Cross-Site Request Forgery Attack explained

Cookies

findstr /S /I “Cookies" *.*

Query Strings

findstr /S /I “QueryString" *.*

Params

findstr /S /I “Params" *.*

  • Does the code use MapPath?

If there is a usage of MapPath review that it does not use external input parameters and it is restricted to access only application file space. Make sure its third parameter set to false.

findstr /S /I “MapPath" *.*

How To Mitigate Input And Data Validation Vulnerabilities

Below are detailed step-by-step guidelines for writing code that is not vulnerable to SQL Injections and XSS attacks:

  • How To: Prevent Cross-Site Scripting in ASP.NET
  • How To: Protect From Injection Attacks in ASP.NET
  • How To: Protect From SQL Injection in ASP.NET
  • How To: Use Regular Expressions to Constrain Input in ASP.NET
  • Microsoft Anti-Cross Site Scripting Library V1.5 

    • Share Your Practices

    If you’ve got more search patterns to suggest – please do so! Let’s make the World [Wide Web] a more secure place together.

    My Related Posts

    Published 11 July 08 02:24 by alikl

    Comments

    # Alik Levin's said on July 21, 2008 8:40 AM:

    This post contains string search patterns that can help identifying authentication vulnerabilities during

    # Alik Levin's said on July 24, 2008 3:53 PM:

    These are the questions and the search criteria I use to identify authorization vulnerabilities in the

    New Comments to this post are disabled

    Search

    This Blog

    . My Personal Blog .

    .Net Performance How To's

    .Net Security How To's

    Design Patterns

    Impactful

    Lifecycle Phases

    Popular

    Tools

    Syndication

    Page view tracker