Security Code Review – String Search Patterns For Finding Input Validation Vulnerabilities

Well defined set of search patterns helps significantly reduce time (cost) when performing security code inspections. This post focuses on input validation vulnerabilities commonly found in ASP.NET web applications.

SQL Injection and Cross Site Scripting (XSS) String search patterns

SQL Injections and XSS attacks are most common that exploit improper data access and lack of output encoding. Following are the how-to’s on finding these vulnerabilities:

Input Validation vulnerabilities String Search Patterns

To search and find security vulnerabilities you start asking questions or better yet create a list of the questions. Here is the example how - Generate Your Own Security Code Review Checklist Document Using Outlook 2007.

Use search utility similar to FindStr to perform your searches (look at Performing Text Searches). When Visual Studio is available then you can use it - Visual Studio 2005 As General Code Search Tool. Any other search tool is just fine. Following are the most common questions and search patterns.

  • Does the code rely on client-side validation?

If the code does not use Validators or Regex there is a potential vulnerability. Review each control how it is validated for type, length, range, string format. In the searches I assume there is no inline code and developers use code behind technique to separate markup from code.

ASP.NET pages

findstr /S /I ".Validator" *.aspx

User Controls

findstr /S /I ".Validator" *.ascx

Source code

findstr /S /I "Regex" *.cs

  • Is the code susceptible to canonicalization attacks?

Review that there is no external input involved in building paths and file names.

findstr /S /I “File" *.cs

findstr /S /I “Path" *.cs

  • Does the code validate data from all sources?

Using Cookies and QueryStrings poses a risk of the tampering threat (review STRIDE Explained to understand threats). If there is a use of Params property there is a chance for CSRF attack - Cross-Site Request Forgery Attack explained


findstr /S /I “Cookies" *.*

Query Strings

findstr /S /I “QueryString" *.*


findstr /S /I “Params" *.*

  • Does the code use MapPath?

If there is a usage of MapPath review that it does not use external input parameters and it is restricted to access only application file space. Make sure its third parameter set to false.

findstr /S /I “MapPath" *.*

How To Mitigate Input And Data Validation Vulnerabilities

Below are detailed step-by-step guidelines for writing code that is not vulnerable to SQL Injections and XSS attacks:

How To: Prevent Cross-Site Scripting in ASP.NET

How To: Protect From Injection Attacks in ASP.NET

How To: Protect From SQL Injection in ASP.NET

How To: Use Regular Expressions to Constrain Input in ASP.NET

Microsoft Anti-Cross Site Scripting Library V1.5 

Share Your Practices

If you’ve got more search patterns to suggest – please do so! Let’s make the World [Wide Web] a more secure place together.