ASP.NET 4.5 and ASP.NET Core 1 Hosting BLOG

Tutorial and Articles about ASP.NET 4.0 and the latest ASP.NET 4.5 Hosting

ASP.NET 4.5 Hosting - Security Improvement in ASP.NEt 4.5

clock March 18, 2013 08:21 by author andy_yo

The .NET 4.5 framework was released a couple of months ago and it included several improvements in the security area. To benefit from these improvements you need to do a few changes to you application's configuration file.
There are some important improvement in ASP.NET 4.5:

  • There are changes to the ASP.NET request validation, it now supports deferred (lazy) validation, as well as giving the option to fetch data unvalidated.
  • The AntiXSS library is included in the framework.
  • There are significant Cryptographic Improvements in ASP.NET 4.5.
  • Windows Identity Foundation is now included in the framework, referred to as WIF 4.5.

About ASPHostPortal.com

ASPHostPortal.com is Microsoft No #1 Recommended Windows and ASP.NET Spotlight Hosting Partner in United States. Microsoft presents this award to ASPHostPortal.com for ability to support the latest Microsoft and ASP.NET technology, such as: WebMatrix, WebDeploy, Visual Studio 2012, ASP.NET 4.5, ASP.NET MVC 4.0, Silverlight 5 and Visual Studio Lightswitch. Click here for more information

To take advantage of these new bits you'll have to do a bit of configuration, we'll get into that right away:

Switching to 4.5
While retargeting a couple of MVC applications to the new framework version, I learned that it's not enough to install the 4.5 framework and change the "Target framework" accordingly. You'll find that a comment appears in the web.config file:
<!--
    For a description of web.config changes for .NET 4.5 see http://go.microsoft.com/fwlink/?LinkId=235367.       
    The following attributes can be set on the <httpRuntime> tag.      
     <system.Web>
        <httpRuntime targetFramework="4.5" />
     </system.Web>

-->
It's important that you set the targetFramework in your configuration file, else your application will run in "4.0" mode.

Enabling AntiXss
You'd want to set the AntiXss library as the default encoder — that can easily be done in the httpRuntime configuration element:

<httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Note that there can be side effects to this, as AntiXSS takes a white list approach to encoding. That means that there may be characters that weren't encoded before, that will be encoded by AntiXSS.

Request validation
Lazy validation was introduced in ASP.NET 4.5, I just did some testing on it and it seems that lazy validation is the enabled regardless of how you set the "requestValidationMode", after you've installed the 4.5 framework. However, if you need access to any request parameters unvalidated, you'll need to set the validation mode to "4.5", as such:
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
This will give you access to the unvalidated collections of parameters, e.g.:

Request.Unvalidated.QueryString["lastName"];
This is a much better approach than disabling request validation altogether. But use it with care, as always you should throroughly validate the input.

WIF 4.5
WIF is now part of the framework — that meant some breaking changes. It shouldn't take to much time to upgrade though,  particularly if you're concerned with RP's. There's a great article on MSDN with Guidelines for Migrating an Application Built Using WIF 3.5 to WIF 4.5.
There's two apparent changes I'd like to point out. First, you no longer need to set the "requestValidationMode" to "2.0" to cope with the request validation exceptions on the SignInResponseMessage's posted from an STS. WIF 4.5 plays nicely with the 4.5 request validation. Second, WIF now includes a MachineKeySessionSecurityTokenHandler which encrypts and MAC's WIF cookies based on the machine key. You'll find everything you need to set it up in: WIF and Web Farms.

 

 



ASP.NET 4.5 Hosting - ASPHostPortal :: New Request validation features in ASP.Net 4.5

clock June 22, 2012 08:48 by author Jervis

ASP.Net request validation is a feature that automatically protects ASP.Net applications from XSS attacks. Request validation in asp.net triggers error when it found HTML markup in any of the input data. But some real life applications still require HTML data in some of the input fields. For e.g. When receiving feedback from user, you may need to get the feedback as HTML. Prior to 4.5 the developers have the ability to switch off the request validation either in page level or for the entire application. Even though this was helpful, for accepting HTML markup from any one field in the page, you were required to disable the validation for entire page or disable it for entire application.

ASP.Net 4.5 brings some improvements to the request validation features. There is a new attribute introduced to httpRuntime element called requestValidationMode. You can set value for this attribute to 4.5 so that new improvements will be applied to your application.


<httpRuntime requestValidationMode="4.5" ... />

When you set this in your web.config, the request validation will be triggered only when your code access the data. So if you are not accessing the data, it will not be validated, which is an improvement and you are not supposed to disable the request Validation.


Now the next question is what will happen when you need HTML data from controls? ASP.Net 4.5 allows you to access request data that is not validated from a new collection named “Unvalidated”. Once you set the requestValidationMode to 4.5, you can access the unvalidated data by the following statement.

context.Request.Unvalidated.Form["Your_Column_Name"];

I am going to demonstrate these new improvements in the remaining part of this article. First I am going to demonstrate the request validation prior to ASP.Net 4.5. Then I will demonstrate the request validation in ASP.Net 4.5 with HTML input controls and then with ASP.Net server controls.

Let us evaluate an ASP.Net application prior to version 4.5. I have created ASP.Net 3.5 application and placed 2 text box controls in the page, with a submit button. The design mode for my page in Visual Studio looks similar to following.



I
executed the page and enter some data in the text boxes. See the snapshot of my input.



See the comments Text box have some HTML markup, which will not be allowed by default. When clicking on the submit button, the following error page will appear.



Now Since I am using ASP.Net 3.5, there are 2 options for me.

1. Set the ValidateRequest to false in the @Page attribute of your page



2. Set the ValidateRequest to false in the Pages section of web.config



Once you do any of the above changes, the above error will vanishes. But there is a danger that all fields in your page can still cause XSS attacks as you disabled it for entire page. Disabling it from the entire application using web.config is more danger as it will switch off the validation feature for your application. Developers need to properly parse/validate all the fields in the page to safeguard from XSS attacks.

Now let us evaluate the improvements in ASP.Net 4.5. I opened Visual Studio 2011 developer preview and created ASP.Net 4.5 web application.

In my application I have included two text boxes and a submit button. The markup for the form controls are as follows.



See, I have used normal HTML controls, not HTML server controls/ASP.Net server controls. I shall discuss the input validation for ASP.Net server controls in the later part of this article.

I executed the page and placed some HTML in the comments field.



When I clicked the submit button, there was no error.


If you check the web.config, you can see the below setting in the web.config




Now let me try to access these values from my code. I added onclick event handler for the button. The code for the button click event hander is as follows.



Now When I click the button from the ASP.Net page, after entering value <b>No Comments</b> in the comments Text box, the below error page appears.



As mentioned in the introduction of this article, you can use Request.Unvalidated collection to access the unvalidated data from the code behind. I have updated my code as follows



Now When I pressed the button, the page does not throw any error.



You must be noticed that I have used HTML input fields not ASP.Net server controls. When using ASP.Net server controls ASP.Net uses the posted data to maintain the view state, so even if you didn’t use the server control data in the code behind, you will get error.


See the sample. I have created the ASP.Net controls as follows



See the output of the page. I placed some markup in the comments field and pressed enter. No matter whether I am using the value in my code behind or not, it will throw the error.





This is because; ASP.Net tries to access the data from text box for the purpose of maintaining view state. For managing request validation for ASP.Net controls, the framework introduced a new attribute named “ValidateRequestMode”. If you want any control to submit HTML markup, set the ValidateRequestMode to “disabled”, so that the data from this control will not be validated. In the background ASP.Net might take the data from the unvalidated collection if ValidateRequestMode set to disabled.


See the sample



Now run the page and enter some markup for the comments field and press the submit button, it will not trigger any error as you already disabled the validateRequestMode.



See the output of the page.



ASP.Net 4.5 gives you the ability to control the request validation from item level. For each server control you can disable the request validation. Still all the other controls in the page is validated so your page is not open for XSS attacks. Make sure you apply necessary logic to parse/validate the data from unvalidated controls to protect your application. Only disable request validation when it is necessary.

ASP.NET 4.5 Hosting Starts from ONLY $2.00/month. CLICK HERE



Cheap ASP.NET 4.5 Hosting

We’re a company that works differently to most. Value is what we output and help our customers achieve, not how much money we put in the bank. It’s not because we are altruistic. It’s based on an even simpler principle. "Do good things, and good things will come to you".

Success for us is something that is continually experienced, not something that is reached. For us it is all about the experience – more than the journey. Life is a continual experience. We see the Internet as being an incredible amplifier to the experience of life for all of us. It can help humanity come together to explode in knowledge exploration and discussion. It is continual enlightenment of new ideas, experiences, and passions


Author Link


 

Corporate Address (Location)

ASPHostPortal
170 W 56th Street, Suite 121
New York, NY 10019
United States

Tag cloud

Sign in