Module 3: Validating User Input Contents Overview Lesson: User Input Lesson: Types of User Input Attacks Lesson: Performing Validation 23 Lesson: Revealing As Little Information As Possible to Users 38 Review 46 Lab 3: Verifying User Input 48 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 3: Validating User Input iii Instructor Notes Presentation: 90 minutes Lab: 30 minutes This module provides students with an explanation of how to manage user input in a Web application in a secure way The methods for checking user input, and a discussion of the consequences of not performing those checks, are the focus of this module After completing this module, students will be able to secure their Web applications by validating user input After completing this module, students will be able to: ! ! Describe the different types of user input attacks ! Implement user input validation ! Required materials Identify the sources of user input in a Web application Use communications analysis and coding best practices to avoid providing information that can be used for security attacks To teach this module, you need the following materials: ! ! Preparation tasks Microsoft® PowerPoint® file 2300A_03.ppt HTML and Flash animation files: 2300A_03_A05_1640.htm, 2300A_03_A05_1640.swf To prepare for this module: ! Read all of the materials for this module ! Complete the lab ! Practice the steps for the demonstrations ! Review the multimedia demonstration ! Read the TechNet articles, “Cross-site Scripting Overview,” “Cross-Site Scripting Security Exposure Executive Summary,” and “Cross-Site Scripting: Frequently Asked Questions,” which are available at http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ security/topics/csoverv.asp ! Read the Microsoft MSDN® article, “HOWTO: Prevent Cross-Site Scripting Security Issues in CGI or ISAPI,” which is available at http://support.microsoft.com/directory/ article.asp?ID=KB; EN-US;Q253165& ! Read the MSDN article, “RequiredFieldValidator Control,” which is available at http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/cpgenref/html/cpconrequiredfieldvalidatorcontrol.asp ! Read the MSDN article, “RegularExpressionValidator Control,” which is available at http://msdn.microsoft.com/library/default.asp?url=/library/ en-us/cpgenref/html/cpconregularexpressionvalidatorcontrol.asp ! Read Chapter 12, “Securing Against Attack,” in Designing Secure WebBased Applications for Microsoft Windows 2000 by Michael Howard (Redmond, Microsoft Press®), 2000 iv Module 3: Validating User Input How to Teach This Module This section contains information that will help you to teach this module Lesson: User Input This section describes the instructional methods for teaching each topic in this lesson Identifying the Sources of User Input Discuss the various sources that can be used to accept user input in a Web application Explain how these sources can be maliciously used by an attacker to enter a Web application Why Validate User Input? Discuss how accepting all user input without performing any validation can be detrimental to the Web application Types of User Input Validation User input can be validated at the server side or the client side Explain to the class that although performing client-side validation is important because it reduces round-trips to Web server, it is not secure Therefore, as a best practice, the validation must also be performed at the server side Multimedia: Client-Side and Server-Side Processing This animation shows the procedure for client-side and server-side processing The sequence of steps that occur during this multimedia demonstration is as follows: The client requests a Microsoft ASP.NET page from the Web server The server returns a page that contains Hypertext Markup Language (HTML) and script to the client The page includes TextBox and Button controls The page also contains client-side script that validates the contents of the text box If the user types invalid information in the text box, the client-side script generates a message box Because no information has been sent to the server, client-side processing reduces network traffic and response times The user corrects the information in the text box, and then clicks Submit The information is validated at the client side and is then sent to the server, where server-side processing can occur The server repeats the validation and stores the information from the text box in a database Because the client-side script cannot access server resources, server-side processing offers a greater range of flexibility in data processing Module 3: Validating User Input v Lesson: Types of User Input Attacks This section describes the instructional methods for teaching each topic in this lesson URL Format Attacks Explain how canonical Uniform Resource Locator (URL) formats can become a weakness for a Web application for an attack Canonicalization mistakes are caused the Web application implements security decisions based on a name (such as a file name, a directory name, or a URL) and more than one representation of the resource name exists, which can lead to the security check being bypassed HTTP Cookie Attacks Explain the two types of cookies that can be used in a Web application to store data: persistent and session Emphasize that cookies can be modified, and therefore, storing sensitive data in a cookie can prove to be dangerous for a Web application HTTP Header Attacks Emphasize that Hypertext Transfer Protocol (HTTP) header values can be changed and therefore should not be trusted Form Data Attacks Discuss the vulnerabilities that exist in accepting user input using a form Emphasize the best practices that must be used before accepting user input Demonstration: A Form Data Attack Use this demonstration to explain how data can be modified maliciously at the client side Script Command Injection Attacks This topic uses an animated slide to show how a script command injection attack occurs in four steps Cover the explanation for the corresponding step as it appears on the slide Demonstration: A Script Command Injection Attack Use this demonstration to explain how a script command injection attack is performed on a Web application Lesson: Performing Validation This section describes the instructional methods for teaching each topic in this lesson ASP.NET Validation Controls ASP.NET includes new functionality named Web Server Controls, which contains five controls that can be used to validate user input Use examples to explain when these Web Server Controls should be used Using ASP.NET Validation Controls This topic describes the common properties of Web Server Controls and how these controls help in preventing user input attacks Demonstration: Using Validation Controls Use this demonstration to explain how a RequiredFieldValidator control can be used to verify that a TextBox control does not accept blank entries from users Regular Expressions Explain the need for regular expressions and briefly discuss the elements of regular expressions that are covered in this topic Inform students that this topic covers only the commonly used regular expression elements and that the complete list of regular expression elements can be located in Microsoft Visual Studio® NET Help Open Visual Studio NET Help and search for regular expressions Open the page that provides a comprehensive list of regular expression elements and show that list to the students in the class vi Module 3: Validating User Input Using Regular Expression Validation in ASP.NET Explain how students can use regular expressions to secure their ASP.NET Web applications by matching the string with the pattern that is defined in regular expressions ASP.NET uses two different classes that are used for creating and using regular expressions: RegularExpressionValidator and Regex Show the code examples for implementing both of these classes by clicking the code example link that is provided on the bottom of the slide Using Regular Expression Validation in ASP Explain how students can use regular expressions to secure their Active Server Pages (ASP) Web applications by matching the string with the pattern that is defined in regular expressions Use the code example link that is provided on the bottom of the slide to show the two different implementations of regular expressions in ASP Web applications Demonstration: Using Regular Expressions In this demonstration, students will see how a regular expression can be used to verify that an input control has a properly formatted social security number Practice: Break This Page In this practice, students will attempt to find all of the possible security weaknesses on an existing Web page Lesson: Revealing As Little Information As Possible to Users This section describes the instructional methods for teaching each topic in this lesson Concealing Private and Implementation Information Discuss in the class how revealing information to users can benefit attackers Explain why it is important to conceal private and implementation details in the messages that are sent back to users You can use the example that a Web application might use a user logon name to greet users, which is a bad security practice If the students need to provide personalization in their Web application, they should use the user’s first name or nickname to address the user, rather than using the user’s logon name Providing Feedback to Users A Web application interacts with users to provide them feedback on their actions Feedback is provided under normal conditions, such as a verification message and a success message, or under error conditions, such as an error message Emphasize to the class that the feedback message should be generic, and concise Obscuring Error Details from Users Detailed error messages can help attackers to find out the implementation details of an organization’s Web application and can also help the attackers to determine the vulnerabilities in the Web application Therefore, it is important to obscure error details in the messages This topic covers obscuring error details in ASP Web applications and ASP.NET Web applications Emphasize to the class that detailed error messages are helpful during Web application development because they help Web developers in debugging Therefore, most of the Web applications may be configured to display detailed error messages during the Web application development phase However, it is then important to ensure that detailed error messages are obscured before moving the Web application to the production server Putting Literal Values in Secured Files Discuss how storing literal values in script or source code can be dangerous for a Web application Inform students that they must never store the literal values in script or source code Instead, they must store literal values in secured configuration files or in the Microsoft Windows® registry Module 3: Validating User Input vii Lab 3: Verifying User Input Introduce the lab by stating that the labs for Course 2300, Developing Secure Web Applications, create two Web applications, TailspinToys and TailspinToysAdmin By accessing the TailspinToys Web application, users will be able to get a list of the products that are created by Tailspin Toys, and resellers will be able to view the status of their orders By accessing the TailspinToysAdmin Web application, employees will be able to create new reseller accounts and update the status of reseller orders This lab edits the logon page of the Tailspin Toys Web application to use a strong password For this lab, a strong password must have at least one number, one lowercase letter, and one uppercase letter, and must be at least characters long, but not more than 20 characters long Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Lab Setup To complete this lab, you will use the following Visual Studio NET solutions and projects: ! Two Visual Studio NET solutions, 2300Labs and 2300Labs.NET, which are in the \My Documents\Visual Studio Projects folder ! Four Web application projects, TailspinToys, TailspinToysAdmin, TailspinToys.NET, and TailspinToysAdmin.NET, which are in the \Inetpub\wwwroot folder You will use the 2300Labs solution and the TailspinToys and TailspinToysAdmin Web applications to complete the ASP exercises in this lab You will use the 2300Labs.NET solution and the TailspinToys.NET and TailspinToysAdmin.NET Web applications to complete the ASP.NET exercises in this lab viii Module 3: Validating User Input You must assign each student a TailspinToys account to use for the labs The following is a list of the accounts that exist in the TailspinToys database These names correspond to the student computer names, so you can tell each student to use his or her respective user name when accessing the TailspinToys Web application throughout the labs in the Course 2300, Developing Secure Web Applications User name Password Acapulco P@ssword8 Auckland P@ssword8 Bangalore P@ssword8 Bonn P@ssword8 Brisbane P@ssword8 Caracas P@ssword8 Casablanca P@ssword8 Denver P@ssword8 Glasgow P@ssword8 Khartoum P@ssword8 Lima P@ssword8 Lisbon P@ssword8 London P@ssword8 Manila P@ssword8 Miami P@ssword8 Montevideo P@ssword8 Moscow P@ssword8 Nairobi P@ssword8 Perth P@ssword8 Santiago P@ssword8 Singapore P@ssword8 Stockholm P@ssword8 Suva P@ssword8 Tokyo P@ssword8 Tunis P@ssword8 Vancouver P@ssword8 Lab Results There are no configuration changes on student computers that affect replication or customization Module 3: Validating User Input Overview ! User Input ! Types of User Input Attacks ! Performing Validation ! Revealing As Little Information As Possible to Users *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this module, you will learn how to manage user input in a secure way An important security best practice that you must follow is to never trust user input If you trust a user’s input in a Web application, you are making your Web application vulnerable to attack If your Web application accepts input from users, it is imperative that the Web application validate the input before processing it The methods for checking user input, and an explanation of the consequences of not performing those checks, are the focus of this module Objectives After completing this module, you will be able to: ! Identify the sources of user input in a Web application ! Explain the different types of user input attacks ! Implement user input validation ! Use communications analysis and coding best practices to avoid providing information that can be used for security attacks Note The code samples in this module are provided in both Microsoft® Visual Basic® NET and C# Module 3: Validating User Input Lesson: User Input ! Identifying the Sources of User Input ! Why Validate User Input? ! Types of User Input Validation ! Multimedia: Client-Side and Server-Side Processing *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In this lesson, you will learn about the sources of user input in a Web application You will also be introduced to the reasons for validating user input and the various ways to perform input validation Lesson objectives After completing this lesson, you will be able to: ! Identify the sources of user input ! Decide when user input validation is necessary ! Describe the different types of user input validation methods 46 Module 3: Validating User Input Review ! User Input ! Types of User Input Attacks ! Performing Validation ! Revealing As Little Information As Possible to Users *****************************ILLEGAL FOR NON-TRAINER USE****************************** What are the five sources of user input? URLs, GET data, POST data, cookies, HTTP headers Why is client-side form validation not secure? An attacker can modify data in client-side validation For GET forms, the attacker can merely modify the URL to modify the GET form parameters For POST forms, the attacker can save and modify the HTML How you protect your Web application against a script injection attack? Validate all user input that will be used to generate script, or the user input that will be returned to the user What ASP.NET validation control you use to ensure that a user types a value in a form field? The RequiredFieldValidator control What ASP.NET validation control you use to ensure that a form field’s value is a properly formatted telephone number? The RegularExpressionValidator control Module 3: Validating User Input What object you use to perform regular expression matches in an ASP script? The RegExp object for VBScript and the string object for JScript Write an example of a secure logon failure message "Logon failed, please try again." 47 48 Module 3: Validating User Input Lab 3: Verifying User Input ! ASP Exercise 1: Verifying User Input ! ASP Exercise 2: Creating Secure User Messages ! ASP.NET Exercise 3: Verifying User Input ! ASP.NET Exercise 4: Creating Secure User Messages *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to: ! ! Prerequisites Use regular expressions to validate user input Create user messages that are minimal and informative Before working on this lab, you must have: ! The knowledge and skills to create server-side script in ASP ! The knowledge and skills to add Web controls to a Web Form, and to create code in a code-behind file in ASP.NET Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations For instance, this lab does not comply with the recommendation that all error conditions and exceptions are handled Scenario In the labs for Course 2300, Developing Secure Web Applications, you will create two Web applications, TailspinToys and TailspinToysAdmin By accessing the TailspinToys Web application, users will be able to get a list of the products that are created by Tailspin Toys, and resellers will be able to view the status of their orders By accessing the TailspinToysAdmin Web application, employees will be able to create new reseller accounts and update the status of reseller orders Module 3: Validating User Input 49 In this lab, you will edit the logon page of the Tailspin Toys Web application You want to ensure that users of the Web application use only strong passwords For this lab, a strong password must have at least one number, one lowercase letter, and one uppercase letter, and must be at least characters long, but not more than 20 characters long Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events that are depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred Estimated time to complete this lab: 30 minutes 50 Module 3: Validating User Input Exercise Lab Setup To complete this lab, you will use the following Visual Studio NET solutions and projects: ! Two Visual Studio NET solutions, 2300Labs and 2300Labs.NET, which are in the \My Documents\Visual Studio Projects folder ! Four Web application projects, TailspinToys, TailspinToysAdmin, TailspinToys.NET, and TailspinToysAdmin.NET, which are in the \Inetpub\wwwroot folder You will use the 2300Labs solution and the TailspinToys and TailspinToysAdmin Web applications to complete the ASP exercises in this lab You will use the 2300Labs.NET solution and the TailspinToys.NET and TailspinToysAdmin.NET Web applications to complete the ASP.NET exercises in this lab Module 3: Validating User Input Your instructor will assign you one of the following user names, from the TailspinToys database’s User table User your respective user name when accessing the TailspinToys Web application throughout the labs in the Course 2300, Developing Secure Web Applications User name Password Acapulco P@ssword8 Auckland P@ssword8 Bangalore P@ssword8 Bonn P@ssword8 Brisbane P@ssword8 Caracas P@ssword8 Casablanca P@ssword8 Denver P@ssword8 Glasgow P@ssword8 Khartoum P@ssword8 Lima P@ssword8 Lisbon P@ssword8 London P@ssword8 Manila P@ssword8 Miami P@ssword8 Montevideo P@ssword8 Moscow P@ssword8 Nairobi P@ssword8 Perth P@ssword8 Santiago P@ssword8 Singapore P@ssword8 Stockholm P@ssword8 Suva P@ssword8 Tokyo P@ssword8 Tunis P@ssword8 Vancouver P@ssword8 51 52 Module 3: Validating User Input ASP Exercise Verifying User Input In this exercise, you will use a regular expression and the RegExp object to verify that a user’s password is a strong password ! Validate that the user’s password is strong Run Visual Studio NET and open the 2300Labs solution In Solution Explorer, open the ChangePassword.asp page in the TailspinToys project If necessary, switch to HTML view of the ChangePassword.asp file At the end of the ASP script block, add the IsStrong function as shown in the following code: Function IsStrong(sPassword) Dim re Set re = New RegExp re.Pattern = "^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])" If re.Test(sPassword) And Len(sPassword) >= And _ Len(sPassword)