Improving Web Application Security: Threats and - CGISecurity

Chapter 21: Code Review 631Do You Validate Form Field Input?Attackers can pass malicious input to your Web pages and controls through postedform fields. Check that you validate all form field input including hidden form fields.Validate them for type, range, format, and length. Use the following questions toreview your ASP.NET input processing:● Does your input include a file name or file path?You should generally avoid this because it is a high risk operation. Why do youneed the user to specify a file name or path, rather than the application choosingthe location based on the user identity?If you accept file names and paths as input, your code is vulnerable tocanonicalization bugs. If you must accept path input from the user, then check thatit is validated as a safe path and canonicalized. Check that the code usesSystem.IO.Path.GetFullPath.●Do you call MapPath?If you call MapPath with a user supplied file name, check that your code uses theoverride of HttpRequest.MapPath that accepts a bool parameter, which preventscross-application mapping.try{string mappedPath = Request.MapPath( inputPath.Text,Request.ApplicationPath, false);}catch (HttpException){// Cross application mapping attempted.}●For more information see, section “Using MapPath” in Chapter 10, “BuildingSecure ASP.NET Pages and Controls.”How do you validate data types?Check that your code validates the data type of the data received from postedform fields and other forms of Web input such as query strings. For non-stringdata, check that your code uses the .NET Framework type system to perform thetype checks. You can convert the string input to a strongly typed object, andcapture any type conversion exceptions. For example, if a field contains a date, useit to construct a System.DateTime object. If it contains an age in years, convert itto a System.Int32 object by using Int32.Parse and capture format exceptions.