Wednesday, June 30, 2010

Validation of the Validators





Microsoft .net framework has rich libraries for validation aka .net validators which provides both client side and server side validation in a neat fasion. However, there are some serious security pitfalls. There are built in validators for known problems (e.g. required paramters, regex, ..etc) Also, the developer can create a custom validator which gives more power over the validation process, yet more complication.

This is a good article talking about various aspects of .net validation. Built in validators performs client side validation to enhace user experience and server side validation for security purposes. In custome validators, you have to write your own validation code for both server side and client side.

Although .net validators are very useful to increase the overall security posture of applications, the real problem is that developers take them for granted! Unfortunately, validators are not called all of the time. There are certain scenarios where the validation event is not raised.

For example, when calling Server.Transfere(), the destination page does not raise the validation event, hence, one can bypass validation all along in the second page. Also, validation is caused only when the validated control has the property "CausesValidation" set to true which is not the default value for all controls. Another issue rises if you consider custom controls which may be developed by "not very security aware" developers who forgot to set the valdiation flag.

Another fatal misconception is the timing for the validation event firing. The validation event is fired AFTER page_load event, so any logic in page_load is done prior to any validation. To force the validation event, "IsValid()" function has to be called on the concerned object before using it.

Bottom line, .net validators are very useful, but developers should not take them for granted. Validation events has to be manually checked to be functioning in all pages and manually triggered when needed .

Update 0x01: In addition to not being called all the time, .net validators filters are not perfect and can be evaded. Check this excellent paper on reverse engineering .net filters.

Update 0x02: In a discussion on a reputable application security list, it was suggested to add traps on server side validators to detect client side validation was bypassed; Hence a probable hacking attempt.