Understanding Request Validation in ASP.NET MVC 3

Introduction:

A fact that you must always remember "never ever trust user inputs". An application that trusts user inputs may be easily vulnerable to XSS, XSRF, SQL Injection, etc attacks. XSS and XSRF are very dangerous attacks. So to mitigate these attacks ASP.NET introduced request validation in ASP.NET 1.1. During request validation, ASP.NET will throw HttpRequestValidationException:'A potentially dangerous XXX value was detected from the client', if he found, < followed by an exclamation(like <!) or < followed by the letters a through z(like <s) or & followed by a pound sign(like &#123) as a part of query string, posted form and cookie collection. In ASP.NET 4.0, request validation becomes extensible. This means that you can extend request validation. Also in ASP.NET 4.0, by default request validation is enabled before the BeginRequest phase of an HTTP request. ASP.NET MVC 3 moves one step further by making request validation granular. This allows you to disable request validation for some properties of a model while maintaining request validation for all other cases. In this article I will show you the use of request validation in ASP.NET MVC 3. Then I will briefly explain the internal working of granular request validation. 

Description:

  First of all create a new ASP.NET MVC 3 application. Then create a simple model class called MyModel,  

public class MyModel  
{
   public string Prop1 { get;  set; }  
   public string Prop2 { get; set; }  
} 

 Then just update the index action method as follows,

public ActionResult Index(MyModel p)  
{
  return View();  
}

Now just run this application. You will find that everything works just fine. Now just append this query string?Prop1=<s to the url of this application, you will get the HttpRequestValidationException exception.

Now just decorate the Index action method with [ValidateInputAttribute(false)],

 

[ValidateInput(false)]  
public ActionResult Index(MyModel p)  
{  
    return View();  
} 

Run this application again with same query string. You will find that your application run without any unhandled exception.

          Up to now, there is nothing new in ASP.NET MVC 3 because ValidateInputAttribute was present in the previous versions of ASP.NET MVC. Any problem with this approach? Yes there is a problem with this approach. The problem is that now users can send html for both Prop1 and Prop2 properties and a lot of developers are not aware of it. This means that now everyone can send html with both parameters(e.g,?Prop1=<s&Prop2=<s). So ValidateInput attribute does not gives you the guarantee that your application is safe to XSS or XSRF. This is the reason why ASP.NET MVC team introduced granular request validation in ASP.NET MVC 3. Let's see this feature.

Remove [ValidateInputAttribute(false)] on Index action and update MyModel class as follows,

public class MyModel  
{  
    [AllowHtml]  
    public string Prop1 { get;  set; }  
    public string Prop2 { get; set; }  
} 

 Note that AllowHtml attribute is only decorated on Prop1 property. Run this application again with?Prop1=<s query string. You will find that your application run just fine. Run this application again with?Prop1=<s&Prop2=<s query string, you will get HttpRequestValidationException exception. This shows that the granular request validation in ASP.NET MVC 3 only allows users to send html for properties decorated with AllowHtml attribute. 

Sometimes you may need to access Request.QueryString or Request.Form directly. You may change your code as follows,

[ValidateInput(false)]  
public ActionResult Index()  
{  
    var prop1 = Request.QueryString["Prop1"];  
    return View();  
} 

Run this application again, you will get the HttpRequestValidationException exception again even you have [ValidateInput(false)] on your Index action. The reason is that Request flags are still not set to unvalidate. I will explain this later. For making this work you need to use Unvalidated extension method,

public ActionResult Index()  
{  
    var q = Request.Unvalidated().QueryString;  
    var prop1 = q["Prop1"];  
    return View();  
} 

Unvalidated extension method is defined in System.Web.Helpers namespace. So you need to addusing System.Web.Helpers; in this class file. Run this application again, your application run just fine