Tutorial :Sample text that will invalidate ASP.NET text input?



Question:

I need to do some checking on a validation control but I am not sure what type of text ASP.NET will think is a security issue. Can someone give me some things to try? I tried various HTML tags and it seemed to accept them fine. This is a multiline rich textbox used for saving a field of text to the database. The code for saving is inside of an If Me.IsValid with no ELSE specified, but after the save function is called it proceeds to display a 'saved' message and redirect the page. Some users have been losing work so I think the problem is that Me.IsValid is false so the save function is called but does nothing... Anyways what can I try to invalidate this with? Note I did not write the code for this I am just troubleshooting it.


Solution:1

It sounds like you are confusing Validator controls with ValidateRequest, an internal mechanism of ASP.Net for sanitizing requests.

Validator validation is entirely dependant on your validators. Are you using a RequiredFieldValidator? Then the invalid inputs are simply blank textboxes. Is it a RegularExpressionValidator? Then you need to enter something that doesn't match the regular expression. CustomValidator? Then you need to check the validation logic.

It sounds to me more like you're worried about the input being sanitized for running database queries with. The first thing to check is that in your Page directive, "ValidateRequest" isn't being set to "false". If it is, that would explain why HTML is being allowed through.

You should also check out the following:

How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings

Validating User Input in ASP.NET Web Pages

Then, if you'd like to try a database injection attack, just google for a basic SQL Injection tutorial.


Solution:2

javascript:alert('rrrrrooooaaaarrrrr');  

Is a good start.


Solution:3

Try some ASCII Codes for non breaking spaces, carriage return, etc.

Since you're saving to a database, try some sql injection as well.


Note:If u also have question or solution just comment us below or mail us on toontricks1994@gmail.com
Previous
Next Post »