Top ASP 101 Stories VBScript Classes: Part 1 of N Migrating to ASP.NET Getting Scripts to Run on a Schedule QUICK TIP: Date Delimiter for Access and SQL Server Show All Tips >>  ASP 101 Updates

How to Protect Your Application Against Parameter Injection

Securing your web application against the hackers of the world is a difficult task. Authentication mechanisms, sessionIds, and user accounts are a few of the options that are available to you for your efforts. However, the most common technique of remotely manipulating an application is parameter injection. So, for example, let's say you are viewing a transaction of customer #448, and your URL looks something like:

www.myapplication.com/customer.aspx?customerID=448

What is to stop customer 448 from typing in 449, let's say, and viewing another customer's transaction details? The situation can even escalate into typing in complete SQL statements and executing them inside the original statements you have coded. Well, this article isn't here to magically solve your problems and completely seal your sensitive data. Checking for let's say a customer sessionID and matching it against the URL and the page will still have to be done by you. However, this article will demonstrate a simple method of checking for valid parameters in an already written application. It can be easily plugged in to any website and even if the website contains hundreds of pages, it can still be a very effective tool in your efforts against hackers. The idea behind it is very simple and includes three components.

The Validation Class

This class contains static methods to check for valid values. For example, if you are expecting a string that is twenty characters long, it can check it for you and notify the application every time it encounters an invalid string on any page. There are several methods implemented in the example code. However, you can add your own and customize them to your needs.

Web.config

This is the file where you keep all of your application keys. So for example, if we would like to check for a customerID and make sure it is an integer, we would add a key named <safeParameters> and set its value to orderID-int32. Now every time our application will encounter an orderID parameter it will automatically check to see if it has a valid integer value.

Global.asax

This file will contain a utility method to match all of our known parameter types to their value. This method will be called isValidParameter. Every time a page is being requested, this method will be executed and will then notify the application if the parameter is valid.

The idea behind those three components working together is very simple, and it goes something like this: prepare all your utility methods to check for valid parameters, define all your valid parameters and check for valid values on each page, take into consideration that if you are using a customerID in twenty pages out of your application, they all must be of an integer value. Plugging these components into your application is fairly simple and will ensure that an already up and running website will prompt you every time a hacker tries to change a query string regardless of whether your programmers have checked for valid parameters or not. Bear in mind that this is a plug-in, and like all plug-ins it will take its toll on your application performance. A true secure application will embed any security methods inside the page object only using utility classes to assist. However, if invalid parameters are a problem for you, then this is your solution.

How to Implement the Example

Step 1: Add a new utility class and copy and paste the code in parameterCheck.cs into it. Do not forget to change the namespace to fit the needs of the application.

public class parameterCheck{
    public static bool isEmail(string emailString){
        return System.Text.RegularExpressions.Regex.IsMatch(emailString, "['\\w_-]+(\\.['\\w_-]+)*@['\\w_-]+(\\.['\\w_-]+)*\\.[a-zA-Z]{2,4}");
    }

    public static bool isUSZip(string zipString){
        return System.Text.RegularExpressions.Regex.IsMatch(zipString ,"^(\\d{5}-\\d{4})|(\\d{5})$");
    }
}

Step 2: On your Web.config file, add a key under the <appSettings> tag. This key will contain all of the parameters you wish to check for and the types they need to be. The name of the key is <safeParameters>, and the value can be for example: "ordered-int32,customerEmail-email".

<appSettings>
    <add key="safeParameters" value="OrderID-int32,CustomerEmail-email,ShippingZipcode-USzip" />
</appSettings>

Step 3: In your Global.asax copy and paste the code in the example into your Application_BeginRequest mothod.

protected void Application_BeginRequest(Object sender, EventArgs e){
    String[] safeParameters = System.Configuration.ConfigurationSettings.AppSettings["safeParameters"].ToString().Split(',');
    for(int i= 0 ;i < safeParameters.Length; i++){
        String parameterName = safeParameters[i].Split('-')[0];
        String parameterType = safeParameters[i].Split('-')[1];
        isValidParameter(parameterName, parameterType);
    }
}

Step 4: Copy and paste the method isValidParameter into your Global.asax file. Implementation of this method can be and should be customized by you for your needs.

public void isValidParameter(string parameterName, string parameterType){
    string parameterValue = Request.QueryString[parameterName];
    if(parameterValue == null) return;

    if(parameterType.Equals("int32")){
        if(!parameterCheck.isInt(parameterValue)) Response.Redirect("parameterError.aspx");
    }
    else if (parameterType.Equals("double")){
        if(!parameterCheck.isDouble(parameterValue)) Response.Redirect("parameterError.aspx");
    }
    else if (parameterType.Equals("USzip")){
        if(!parameterCheck.isUSZip(parameterValue)) Response.Redirect("parameterError.aspx");
    }
    else if (parameterType.Equals("email")){
        if(!parameterCheck.isEmail(parameterValue)) Response.Redirect("parameterError.aspx");
    }
}

That's it! You have just secured your application against parameter injection. And although the final implementation of the utility methods is totally up to you and your needs, this little mechanism will certainly do the job of protecting an already written and deployed application and it doesn't matter how many pages or directories it may have.

About the Example

The example contains three files: Global.asax, Web.config, and parameterCheck.cs. Please look at the files' default implementation to understand whether or not you need custom methods. You can download the example files from here: parameterinjection.zip (3.4 KB).

About the Author

Mr. Gal Ratner graduated from the Technion Institute in Israel and has been writing software for over 10 years. He is the founder and CEO of Inverted Software located in southern California, which consults to large organizations.