Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities
Well defined set of search patterns helps significantly reduce time (cost) when performing security code inspections. This post focuses on input validation vulnerabilities commonly found in ASP.NET web applications.
SQL Injection and Cross Site Scripting (XSS) String search patterns
SQL Injections and XSS attacks are most common that exploit improper data access and lack of output encoding. Following are the how-to’s on finding these vulnerabilities:
- Quickly Find And Fix Cross Site Scripting (XSS) Vulnerabilities In Your ASP.NET Application.
- Security Code Inspection - Eternal Search For SQL Injection
Input Validation vulnerabilities String Search Patterns
To search and find security vulnerabilities you start asking questions or better yet create a list of the questions. Here is the example how - Generate Your Own Security Code Review Checklist Document Using Outlook 2007.
Use search utility similar to FindStr to perform your searches (look at Performing Text Searches). When Visual Studio is available then you can use it - Visual Studio 2005 As General Code Search Tool. Any other search tool is just fine. Following are the most common questions and search patterns.
Does the code rely on client-side validation?
If the code does not use Validators or Regex there is a potential vulnerability. Review each control how it is validated for type, length, range, string format. In the searches I assume there is no inline code and developers use code behind technique to separate markup from code.
findstr /S /I ".Validator" *.aspx
findstr /S /I ".Validator" *.ascx
findstr /S /I "Regex" *.cs
Is the code susceptible to canonicalization attacks?
Review that there is no external input involved in building paths and file names.
findstr /S /I “File" *.cs
findstr /S /I “Path" *.cs
Does the code validate data from all sources?
Using Cookies and QueryStrings poses a risk of the tampering threat (review STRIDE Explained to understand threats). If there is a use of Params property there is a chance for CSRF attack - Cross-Site Request Forgery Attack explained
findstr /S /I “Cookies" *.*
findstr /S /I “QueryString" *.*
findstr /S /I “Params" *.*
Does the code use MapPath?
If there is a usage of MapPath review that it does not use external input parameters and it is restricted to access only application file space. Make sure its third parameter set to false.
findstr /S /I “MapPath" *.*
How To Mitigate Input And Data Validation Vulnerabilities
Below are detailed step-by-step guidelines for writing code that is not vulnerable to SQL Injections and XSS attacks:
Share Your Practices
If you’ve got more search patterns to suggest – please do so! Let’s make the World [Wide Web] a more secure place together.