3

I have my application and from the security testing team I got a bug reported about the possibility for a user to inject malicious code from our forms inputs. The application is developed in ASP.NET MVC4, .NET 4.5 and EF 5.

The attack being tested is like any usual html being entered, but instead of using the regular < or >, my coworker is using < and > (the fullwidth unicode versions of the previous characters: here for the full list). MVC lets these characters get through and then, somehow, the ORM removes the "wide" portion of the character and leaves the standard and plain characters get into the DB. Needless to say that if not correctly encoded in the output of a view, the retrieval and rendering of these characters can lead to XSS vulnerations.

What I need now is a way to sanitize and perform a Normalize() of all the strings being submitted in any form in the application. Some people told me to create a custom model binder, but in the BindModel method I couldn't find a spot to modify the fields so later, the framework could recognize the cleansed values and recognize the injection.

Any suggestion will be much appreciated.

CesarD
  • 573
  • 14
  • 30
  • please read the link http://stackoverflow.com/questions/19735214/allowing-only-certain-html-tags-as-user-input – Thanigainathan Feb 14 '14 at 20:09
  • From what I understood that wouldn't work for me, as I don't want to allow or restrict some part of the HTML I might get from inputs, all I want to do is to normalize the strings to remove all fullwidth unicode so the MVC built-in validator can react on the real characters and not get tricked with disguised ones. – CesarD Feb 14 '14 at 21:09

1 Answers1

3

You can provide your custom request validation instead.

public class NormalizingRequestValidator : RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        return base.IsValidRequestString(context, value.Normalize(NormalizationForm.FormKC), requestValidationSource, collectionKey, out validationFailureIndex);
    }
}

In web.config

<system.web>
     <httpRuntime targetFramework="4.5" requestValidationType="YourNamespace.NormalizingRequestValidator, YourAssembly" />
</system.web>

If also want to normalize the string you receive in your controllers, implement a custom ValueProviderFactory. See What’s the Difference Between a Value Provider and Model Binder?

Note: if you choose to only implement a ValueProviderFactory, you will have to call RequestValidator.Current to manually validate the normalized string.

LostInComputer
  • 15,188
  • 4
  • 41
  • 49
  • So, basically if I implement the custom request validator the way you explained, MVC by itself would be throwing the "dangerous characters detected" exception as it would if those characters were sent without disguise? – CesarD Feb 15 '14 at 13:25
  • 1
    Correct. RequestValidator is for ASP.net so it works for both Webforms and MVC. Be aware though that JSON requests are not validated and controllers accept JSON requests by default! – LostInComputer Feb 15 '14 at 16:20
  • So unless I post data and save it to the DB in a JSON request, I shouldn't have any risk of XSS attacks that can be disguised and get through this kind of validations, right? I'll test it soon and get back later. Thanks a lot for all the advice! – CesarD Feb 15 '14 at 17:05
  • I just tested the proposed solution and it worked perfectly, though I still didn't test any Json request to verify my previous comment. – CesarD Feb 15 '14 at 18:32
  • 1
    Yes. form post and query string are validated while JSON is not. I would concentrate my effort more in ensuring that the output is encoded rather than the validating the input. – LostInComputer Feb 16 '14 at 15:55
  • Yes, we're working on encoding the output but we also don't want to keep disguised junk that could have gone through with something as simple as this. Thanks a lot!! – CesarD Feb 16 '14 at 21:47