Home/ Questions/Q 6943173
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T13:07:18+00:00

What else needs to be validated apart from what I have below? This is

  • 0

What else needs to be validated apart from what I have below? This is my question.

It is important that any input to a site is properly validated:

  • Textboxes, etc – use .NET validators (or custom code if the validators aren’t appropriate)

  • Querystring or Form values – use manual validation (casting to specific types, boundary checking, etc)

This ties into the problems which XSS can reveal.

Basically you have to validate any input that someone could potentially tamper with:

  • Form Postbacks (mainly .NET Controls – these can be validated with .NET validation controls. Also if you have Request Validation turned on on all pages, this reduces the risk )

  • QueryString Values

  • Cookie values

  • HTTP Headers

  • Viewstate (automatically done for you as long as you have ViewState MAC enabled)

  • Javascript (all JS can be viewed and changed, so need to ensure no crucial functionality is handled by JavaScript- i.e. always enable server side validation)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There is a lot that can go wrong with a web application. Your list is pretty comprehensive, although it is duplication. The http spec only states, GET, POST, Cookie and Header. There are many different types of POST, but its all in the same part of the request.

    For your list I would also add everything having to do with file upload, which is a type of POST. For instance, file name, mime type and the contents of the file. I would fire up a network monitoring application like Wireshark and everything in the request should be considered potentially harmful.

    There will never be a one size fits all validation function. If you are merging sql injection and xss sanitation functions then you maybe in trouble. I recommend testing your site using automation. A free service like Sitewatch or an open source tool like skipfish will detect methods of attack that you have missed.

    Also, on a side note. Passing the view state around with a MAC and/or encrypted is a gross misuse of cryptography. Cryptography is tool used when there is no other solution. By using a MAC or encryption you are opening the door for an attacker to brute force this value or use something like oracle padding attack to take advantage of you. A view state should be kept track by the server, period end of story.

    • 0