Input Validation

Buffer Overflows

Buffer overflow vulnerabilities can lead to denial of service attacks or code injection. A denial of service attack causes a process crash;. code injection alters the program execution address to run an attacker's injected code. The following code fragment illustrates a common example of a buffer overflow vulnerability.

 void SomeFunction( char *pszInput ) {   char szBuffer[10];   // Input is copied straight into the buffer when no type checking is performed   strcpy(szBuffer, pszInput);   . . . } 

Managed .NET code is not susceptible to this problem because array bounds are automatically checked whenever an array is accessed. This makes the threat of buffer overflow attacks on managed code much less of an issue. It is still a concern, however, especially where managed code calls unmanaged APIs or COM objects.

Countermeasures to help prevent buffer overflows include:

• Perform thorough input validation. This is the first line of defense against buffer overflows. Although a bug may exist in your application that permits expected input to reach beyond the bounds of a container, unexpected input will be the primary cause of this vulnerability. Constrain input by validating it for type, length, format and range.

• When possible, limit your application's use of unmanaged code, and thoroughly inspect the unmanaged APIs to ensure that input is properly validated .

• Inspect the managed code that calls the unmanaged API to ensure that only appropriate values can be passed as parameters to the unmanaged API.

• Use the /GS flag to compile code developed with the Microsoft Visual C++ ⁽ development system. The /GS flag causes the compiler to inject security checks into the compiled code. This is not a fail-proof solution or a replacement for your specific validation code; it does, however, protect your code from commonly known buffer overflow attacks. For more information, see the .NET Framework Product documentation http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vccore/html/vclrfGSBufferSecurity.asp and Microsoft Knowledge Base article 325483 "WebCast: Compiler Security Checks: The “GS compiler switch."

Cross-Site Scripting

An XSS attack can cause arbitrary code to run in a user's browser while the browser is connected to a trusted Web site. The attack targets your application's users and not the application itself, but it uses your application as the vehicle for the attack.

Because the script code is downloaded by the browser from a trusted site, the browser has no way of knowing that the code is not legitimate . Internet Explorer security zones provide no defense. Since the attacker's code has access to the cookies associated with the trusted site and are stored on the user's local computer, a user's authentication cookies are typically the target of attack.

 www.yourwebapplication.com/logon.aspx?username=bob 

 www.yourwebapplication.com/logon.aspx?username=<script>alert('hacker code')</script> 

SQL Injection

A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database. It can occur when your application uses input to construct dynamic SQL statements to access the database. It can also occur if your code uses stored procedures that are passed strings that contain unfiltered user input. Using the SQL injection attack, the attacker can execute arbitrary commands in the database. The issue is magnified if the application uses an over-privileged account to connect to the database. In this instance it is possible to use the database server to run operating system commands and potentially compromise other servers, in addition to being able to retrieve, manipulate, and destroy data.

 SqlDataAdapter myCommand = new SqlDataAdapter(          "SELECT * FROM Users           WHERE UserName ='" + txtuid.Text + "'", conn); 

 '; DROP TABLE Customers - 

 SELECT * FROM Users WHERE UserName=''; DROP TABLE Customers --' 

 ' OR 1=1 - 

 SELECT * FROM Users WHERE UserName='' OR 1=1 - 

Canonicalization

Different forms of input that resolve to the same standard name (the canonical name ), is referred to as canonicalization . Code is particularly susceptible to canonicalization issues if it makes security decisions based on the name of a resource that is passed to the program as input. Files, paths, and URLs are resource types that are vulnerable to canonicalization because in each case there are many different ways to represent the same name. File names are also problematic . For example, a single file could be represented as:

 c:\temp\somefile.dat somefile.dat c:\temp\subdir\..\somefile.dat c:\  temp\   somefile.dat ..\somefile.dat 

Ideally, your code does not accept input file names. If it does, the name should be converted to its canonical form prior to making security decisions, such as whether access should be granted or denied to the specified file.

Countermeasures to address canonicalization issues include:

• Avoid input file names where possible and instead use absolute file paths that cannot be changed by the end user.

• Make sure that file names are well formed (if you must accept file names as input) and validate them within the context of your application. For example, check that they are within your application's directory hierarchy.

• Ensure that the character encoding is set correctly to limit how input can be represented. Check that your application's Web.config has set the requestEncoding and responseEncoding attributes on the <globalization> element.