Ask a Question related to ASP.NET Security, Design and Development.
-
Andy Fish #1
BIG WARNING - validation controls appear to be ignored.
Hi,
Although I have got to the bottom of this problem, it gave me quite a shock
to discover how easy it is to write a very unsafe application with .Net
validators.
The scenario was this: we wrote and tested an application using validators,
but when we deployed the app onto a different server, it accepted and
processed invalid input from the user.
Turns out that in testing the validators were running client-side. When a
client-side validator blocks the input there is no postback and hence
nothing happens on the server. However, if client-side validation is
disabled for any reason, all control events fire on the server even if the
page is invalid. If, like me, you were expecting the page processing to
finish in the event of a validation faliure and not fire button clicks etc,
you are sadly mistaken. If you use validators, you must check manually
Page.IsValid in every "click" event.
I realise this is probably in the documentation (section 34.4b(ii)
subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
this is obvious, but I'm sure that there must be hundreds of apps out there
that are unwittingly relying on client-side validation.
The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
DISABLED. the default configuration could lull you into a false sense of
security and could lead to shipping an unsafe application.
Andy
Andy Fish Guest
-
Validation Between Controls
I have a datagrid with several fields with textboxes and drop downs. I want to be able to validate the drop down field in one column to only be... -
Validation Controls
Hello, I have placed many validation controls on an aspx webform and a user control that allows the visitor to enter a username and password and... -
Validation on custom controls
Hi, I searched through NG's etc but could not find an answer to my problem..... I have a custom control that consists of 3 textboxes. I would... -
Validation Controls Postback
I have a little problem while working with Validation Controls in extensive forms... When the user reaches the end, and something is wrong, it just... -
Dynamic Validation Controls in Netscape
I am having a problem with dynamic validation controls. I have some code that uses an XSLT to transform an XMLDocument into HTML which creates... -
Karl Seguin #2 Re: BIG WARNING - validation controls appear to be ignored.
Yes, we do consider this obvious. But I think all of us would also agree
that we see questions with respect to this all too often. Having said that,
remember that there's atleast two sides to every story (yours, mine and
Kevin's Spe...err I mean the right way). If it behaved otherwise, someone
would likely say "BIG WARNING - unable to manually control validation" and
continue to claim that microsoft removed the flexibility of blah blah
blah...so it depends how you look at it.
anyways, thanks for the heads up, hopefully this message will help someone
doing a google group search one day...
Karl
--
MY ASP.Net tutorials
[url]http://www.openmymind.net/[/url]
"Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
news:OyahI6oGFHA.3472@TK2MSFTNGP09.phx.gbl...shock> Hi,
>
> Although I have got to the bottom of this problem, it gave me quite avalidators,> to discover how easy it is to write a very unsafe application with .Net
> validators.
>
> The scenario was this: we wrote and tested an application usingetc,> but when we deployed the app onto a different server, it accepted and
> processed invalid input from the user.
>
> Turns out that in testing the validators were running client-side. When a
> client-side validator blocks the input there is no postback and hence
> nothing happens on the server. However, if client-side validation is
> disabled for any reason, all control events fire on the server even if the
> page is invalid. If, like me, you were expecting the page processing to
> finish in the event of a validation faliure and not fire button clicksthere> you are sadly mistaken. If you use validators, you must check manually
> Page.IsValid in every "click" event.
>
> I realise this is probably in the documentation (section 34.4b(ii)
> subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
> this is obvious, but I'm sure that there must be hundreds of apps out> that are unwittingly relying on client-side validation.
>
> The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
> DISABLED. the default configuration could lull you into a false sense of
> security and could lead to shipping an unsafe application.
>
> Andy
>
>
Karl Seguin Guest
-
IPGrunt #3 Re: BIG WARNING - validation controls appear to be ignored.
On 24 Feb 2005, "Andy Fish" <ajfish@blueyonder.co.uk> postulated in
news:OyahI6oGFHA.3472@TK2MSFTNGP09.phx.gbl:
a shock> Hi,
>
> Although I have got to the bottom of this problem, it gave me quite..Net> to discover how easy it is to write a very unsafe application withvalidators,> validators.
>
> The scenario was this: we wrote and tested an application usingand> but when we deployed the app onto a different server, it acceptedWhen a> processed invalid input from the user.
>
> Turns out that in testing the validators were running client-side.hence> client-side validator blocks the input there is no postback andis> nothing happens on the server. However, if client-side validationif the> disabled for any reason, all control events fire on the server evenprocessing to> page is invalid. If, like me, you were expecting the pageclicks etc,> finish in the event of a validation faliure and not fire buttonmanually> you are sadly mistaken. If you use validators, you must checkthink> Page.IsValid in every "click" event.
>
> I realise this is probably in the documentation (section 34.4b(ii)
> subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus willout there> this is obvious, but I'm sure that there must be hundreds of appsVALIDATION> that are unwittingly relying on client-side validation.
>
> The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDEsense of> DISABLED. the default configuration could lull you into a falseGood point, Andy.> security and could lead to shipping an unsafe application.
>
> Andy
>
>
No, this is not in the documentation, however, there are plenty of
informative articles available on preventing SQL injection attacks.
Testing is important, but a deliberate practice of defense in depth
is advised to all who use the web as a data aggregator.
I would suggest that if you don't already use parameterized queries,
that you learn what they are and how they can help you prevent data
content attacks against your server.
-- ipgrunt
IPGrunt Guest
-
Lau Lei Cheong #4 Re: BIG WARNING - validation controls appear to be ignored.
Just like any client-side checking using vbscript/javascript, they can
always be overrided.
So never just do client-side checking of data, do server-side checking on
the received data as well.
This may seem redundant, but client-side check enables quicker response and
fewer postbacks, while server-side check makes your data safer.
"Andy Fish" <ajfish@blueyonder.co.uk> ¦b¶l¥ó
news:OyahI6oGFHA.3472@TK2MSFTNGP09.phx.gbl ¤¤¼¶¼g...shock> Hi,
>
> Although I have got to the bottom of this problem, it gave me quite avalidators,> to discover how easy it is to write a very unsafe application with .Net
> validators.
>
> The scenario was this: we wrote and tested an application usingetc,> but when we deployed the app onto a different server, it accepted and
> processed invalid input from the user.
>
> Turns out that in testing the validators were running client-side. When a
> client-side validator blocks the input there is no postback and hence
> nothing happens on the server. However, if client-side validation is
> disabled for any reason, all control events fire on the server even if the
> page is invalid. If, like me, you were expecting the page processing to
> finish in the event of a validation faliure and not fire button clicksthere> you are sadly mistaken. If you use validators, you must check manually
> Page.IsValid in every "click" event.
>
> I realise this is probably in the documentation (section 34.4b(ii)
> subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus will think
> this is obvious, but I'm sure that there must be hundreds of apps out> that are unwittingly relying on client-side validation.
>
> The moral is this: ALWAYS TEST THE APPLICATION WITH CLIENT SIDE VALIDATION
> DISABLED. the default configuration could lull you into a false sense of
> security and could lead to shipping an unsafe application.
>
> Andy
>
>
Lau Lei Cheong Guest
-
PL #5 Re: BIG WARNING - validation controls appear to be ignored.
> No, this is not in the documentation, however, there are plenty of
Is it not in the docs ? You better read it more carefully, what the h do you> informative articles available on preventing SQL injection attacks.
think the webuivalidation.js is ???
Come on, dont blaim MS because you are bad programmers.
PL.
PL Guest
-
PL #6 Re: BIG WARNING - validation controls appear to be ignored.
> I realise this is probably in the documentation (section 34.4b(ii) subsection 2(i) sub-paragraph 23a.3.64) and many of you gurus
Try reading:> will think this is obvious, but I'm sure that there must be hundreds of apps out there that are unwittingly relying on client-side
> validation.
ms-help://MS.NETFrameworkSDKv1.1/cpguidenf/html/cpconClient-SideValidation.htm
PL.
PL Guest
-
IPGrunt #7 Re: BIG WARNING - validation controls appear to be ignored.
On 24 Feb 2005, "PL" <pblse2@yahoo.se> postulated in
news:e4M6KwvGFHA.560@TK2MSFTNGP12.phx.gbl:
microsoft.public.dotnet.framework.aspnet,microsoft .public.dotnet.framew> Subject: Re: BIG WARNING - validation controls appear to be ignored.
> From: "PL" <pblse2@yahoo.se>
> Newsgroups:
ork.aspnet.securitydo you>>>> No, this is not in the documentation, however, there are plenty of
>> informative articles available on preventing SQL injection attacks.
> Is it not in the docs ? You better read it more carefully, what the h> think the webuivalidation.js is ???
>
> Come on, dont blaim MS because you are bad programmers.
>
> PL.
>
>
>
You miss the point of his comment, which has nothing to do with the
docs, and everything to do with not depending on validators to protect
your backend data.
That's called defense in depth, and is the practice of good
programmers.
And don't blame M$ because you're a bad speller.
-- ipgrunt
IPGrunt Guest
-
Andy Fish #8 Re: BIG WARNING - validation controls appear to be ignored.
>
Just as a follow-up, the point of my original comment was not really> You miss the point of his comment, which has nothing to do with the
> docs, and everything to do with not depending on validators to protect
> your backend data.
>
> That's called defense in depth, and is the practice of good
> programmers.
>
about relying on client-side validation. no programmer worth his salt
would ever do that deliberately.
My point was that the system as a whole (the framework and development
environment) did not "fail-safe". Without reading every word of the
documentation, I wrote and tested an application making what I
beleived to be a reasonable assumption about how it would work. When I
deployed it I found out by accident that it was relying on client side
validation. IMHO this would be worth a big caveat on every page
relating to the valiation, not just a single note.
Better still, I would have click-type events only fire if the form is
valid, unless the developer specifically overrides this behaviour.
Andy Fish Guest
Reply With QuoteSimilar Questions and Discussions
Posting Permissions
- You may not post new threads
- You may post replies
- You may not post attachments
- You may not edit your posts
