Net has a feature called request validation which detects malicious inputs and b
ID: 656030 • Letter: N
Question
Net has a feature called request validation which detects malicious inputs and blocks the request.
By its nature, request validation is not a precise science. OWASP clearly recommend to only rely on request validation as defence-in-depth, not as a security boundary.
I am updating a .net security training course, and I like to include an example of why you should not rely on request validation. Sure, I could tell the trainees "don't do it" - but an example is very powerful.
I have found that request validation in .Net 4.5 has been tightened, and my previous methods of bypassing it no longer work. Are there any publicly known ways to bypass .Net 4.5 request validation, for XSS?
Explanation / Answer
There area a number of places that Request validation may be bypassed, depending on the architecture and function of the application under review, which is likely why Microsoft don't recommend relying on it.
- Data which enters the application via another channel (e.g. an API) will not be affected by request validation and so could cause XSS issues if that data is rendered without any additional controls.
- Request validation only really helps where data is placed into an HTML context, where it's placed into a JavaScript context for example it won't provide good protection.
- Request validation doesn't cover all data sent from the client. For example if the application processes data from user HTTP headers (e.g. User agent) it can render the site vulnerable to XSS.
- Data can enter the application via areas such as file upload, which again won't always trigger request validation.