Author Topic: How to Protect Your Application Against Parameter Injection  (Read 4644 times)

Offline admin

  • Administrator
  • Sr. Member
  • *****
  • Posts: 296
    • View Profile
How to Protect Your Application Against Parameter Injection
« on: September 12, 2010, 01:38:59 PM »
Securing your web application against thehackers of the world is a difficult task. Authentication mechanisms,sessionIds, and user accounts are a few of the options that areavailable to you for your efforts. However, the most common techniqueof remotely manipulating an application is parameter injection. So, forexample, let's say you are viewing a transaction of customer #448, andyour URL looks something likewww.myapplication.com/customer.aspx?customerID=448. What is to stopcustomer 448 from typing in 449, let�s say, and viewing anothercustomer�s transaction details? The situation can even escalate intotyping in complete SQL statements and executing them inside theoriginal statements you have coded. Well, this article isn�t here tomagically solve your problems and completely seal your sensitive data.Checking for let�s say a customer sessionID and matching it against theURL and the page will still have to be done by you. However, thisarticle will demonstrate a simple method of checking for validparameters in an already written application. It can be easily pluggedin to any website and even if the website contains hundreds of pages,it can still be a very effective tool in your efforts against hackers.The idea behind it is very simple and includes three components.

The Validation Class
This class contains static methods to check for valid values. Forexample, if you are expecting a string that is twenty characters long,it can check it for you and notify the application every time itencounters an invalid string on any page. There are several methodsimplemented in the example code. However, you can add your own andcustomize them to your needs.

Web.config
This is the file where you keep all of your application keys. So forexample, if we would like to check for a customerID and make sure it isan integer, we would add a key named <safeParameters> and set itsvalue to orderID-int32. Now every time our application will encounteran orderID parameter it will automatically check to see if it has avalid integer value.

Global.asax
This file will contain a utility method to match all of our knownparameter types to their value. This method will be calledisValidParameter. Every time a page is being requested, this methodwill be executed and will then notify the application if the parameteris valid.

The idea behind those three components workingtogether is very simple, and it goes something like this: prepare allyour utility methods to check for valid parameters, define all yourvalid parameters and check for valid values on each page, take intoconsideration that if you are using a customerID in twenty pages out ofyour application, they all must be of an integer value. Plugging thesecomponents into your application is fairly simple and will ensure thatan already up and running website will prompt you every time a hackertries to change a query string regardless of whether your programmershave checked for valid parameters or not. Bear in mind that this is aplug-in, and like all plug-ins it will take its toll on yourapplication performance. A true secure application will embed anysecurity methods inside the page object only using utility classes toassist. However, if invalid parameters are a problem for you, then thisis your solution.

How to Implement the Example:

Step 1: Add a new utility class and copy andpaste the code in parameterCheck.cs into it. Do not forget to changethe namespace to fit the needs of the application.

Code: [Select]
public class parameterCheck{
public static bool isEmail(string emailString){
return System.Text.RegularExpressions.Regex.IsMatch(emailString,
"['\w_-]+(\.['\w_-]+)*@['\w_-]+(\.['\w_-]+)*\.[a-zA-Z]{2,4}");
}

public static bool isUSZip(string zipString){
return System.Text.RegularExpressions.Regex.IsMatch(zipString ,"^(\d{5}-\d{4})|(\d{5})$");
}
}


Step 2: On your Web.config file, add a keyunder the <appSettings> tag. This key will contain all of theparameters you wish to check for and the types they need to be. Thename of the key is <safeParameters>, and the value can be forexample: �ordered-int32,customerEmail-email.

Code: [Select]
<appSettings>
<add key="safeParameters" value="OrderID-int32,CustomerEmail-email,ShippingZipcode-USzip" />
</appSettings>

Step 3: In your Global.asax copy and paste the code in the example into your Application_BeginRequest mothod.

Step 4: Copy and paste the methodisValidParameter into your Global.asax file. Implementation of thismethod can be and should be customized by you for your needs.
Code: [Select]
protected void Application_BeginRequest(Object sender, EventArgs e){
String[] safeParameters = System.Configuration.ConfigurationSettings.AppSettings["safeParameters"].ToString().Split(',');
for(int i= 0 ;i < safeParameters.Length; i++){
String parameterName = safeParameters[i].Split('-')[0];
String parameterType = safeParameters[i].Split('-')[1];
isValidParameter(parameterName, parameterType);
}

}

public void isValidParameter(string parameterName, string parameterType){
string parameterValue = Request.QueryString[parameterName];
if(parameterValue == null) return;

if(parameterType.Equals("int32")){
if(!parameterCheck.isInt(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("double")){
if(!parameterCheck.isDouble(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("USzip")){
if(!parameterCheck.isUSZip(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("email")){
if(!parameterCheck.isEmail(parameterValue)) Response.Redirect("parameterError.aspx");
}
}


That's it! You have just secured yourapplication against parameter injection. And although the finalimplementation of the utility methods is totally up to you and yourneeds, this little mechanism will certainly do the job of protecting analready written and deployed application and it doesn�t matter how manypages or directories it may have.

About the Example:

The example contains three files: Global.asax,Web.config, and parameterCheck.cs. Please look at the files� defaultimplementation to understand whether or not you need custom methods.