Article ID: 867600 - Last Review: May 8, 2007 - Revision: 1.4

IMPROVING WEB APPLICATION SECURITY: THREATS AND COUNTERMEASURES: Corrections and Comments

View products that this article applies to.
Expand all | Collapse all

SUMMARY

This article contains comments, corrections, and information about known errors relating to the Microsoft Patterns & Practices book Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9

Web version of the book is updated as we find the errors. You may find many or all of the errors below already corrected in the web version of the book on MSDN.

The following topics are covered:
  • Page 273, Chapter 10: Building Secure ASP.NET Pages and Controls, Section: Data-Bound Controls, Complete Section
  • Page 441, Chapter 16: Securing Your Web Server, Section: Disable NetBIOS and SMB

MORE INFORMATION

Page 273, Chapter 10: Building Secure ASP.NET Pages and Controls, Section: Data-Bound Controls, Complete Section
http://msdn2.microsoft.com/en-us/library/aa302426.aspx (http://msdn2.microsoft.com/en-us/library/aa302426.aspx)

Change:

Data-bound Web controls do not encode output. The only control that encodes output is the TextBox control when its TextMode property is set to MultiLine. If you bind any other control to data that has malicious XSS code, the code will be executed on the client. As a result, if you retrieve data from a database and you cannot be certain that the data is valid (perhaps because it is a database that is shared with other applications), encode the data before you pass it back to the client.

To:

Data bound controls are web controls that are bindable to data components through a public inherited ‘DataSource’ property. To mention a few, you will find DataGrid, ListBox and DropDownList to be used very often. Not all data bound controls perform encoding when displaying data retrieved from a bound data component; thus, it will be your responsibility to perform encoding on non-trusted data components in order to prevent XSS attacks. For example, a data component cannot be trusted in a scenario where different applications share a single database. If an attacker has the ability to insert malicious XSS code into the database (by abusing a vulnerability in one of the applications, for instance) all applications using non-encoding web controls bound to it, will turn vulnerable. Only avoid encoding if you can be certain that the output from the data component will always be valid.

Examples of data bound controls that do not perform encoding are DataGrid, DataList, RadioButtonList and CheckBoxList. Performing encoding for a data bound control may vary depending on each specific control. For example, for a DataGrid control, you have the following options:
  • Turn all columns into templates and manually use HtmlEncode()/UrlEncode() on each call to DataBinder.Eval
  • Override one of its DataBinding methods, such as OnDatabinding or OnItemDataBound and perform encoding on its items. The following example illustrates how to override the OnItemDataBound method of a DataGrid control in order to encode its items by either using HtmlEncode() or UrlEncode() when required:

...
[DefaultProperty("Text"),
  ToolboxData("<{0}:DataGrid runat=server></{0}:DataGrid>")]
 
public class DataGrid : System.Web.UI.WebControls.DataGrid
{
    /// <summary>
    /// The ItemDataBound event is raised after an item is data bound to the DataGrid
    /// control. This event provides you with the last opportunity to access the data
    /// item before it is displayed on the client. After this event is raised, the data
    /// item is nulled out and no longer available. - .NET Framework Class Library
    /// </summary>
    /// <param name="e"></param>
    protected override void OnItemDataBound(DataGridItemEventArgs e)
    {
      base.OnItemDataBound (e);
 
      switch (e.Item.ItemType)
      {
        case ListItemType.Item:
        case ListItemType.AlternatingItem:
        case ListItemType.EditItem:
        case ListItemType.SelectedItem:
        case ListItemType.Footer:
        case ListItemType.Header:
        case ListItemType.Pager:  
          // even though not all of these ListItemTypes are data bound,
          // perform HtmlEncode or UrlEncode on each control. If there are
          // no controls, we perform HtmlEncode on any available text.
          // Also, don't let &nbsp;'s be encoded.
          TableCellCollection cCells = e.Item.Cells;
          foreach (TableCell tc in cCells)
          {
            if (tc.Controls.Count > 0)
            {
              foreach (Control ctrl in tc.Controls)
              {
                
                // don't perform HtmlEncode on URL's
                if (ctrl is HyperLink)
                {
                  HyperLink hLnk = (HyperLink)ctrl;
 
                  if (hLnk.Text.Length > 0)
                    hLnk.Text = HttpUtility.HtmlEncode(hLnk.Text);
                  if (hLnk.NavigateUrl.Length > 0)
                    hLnk.NavigateUrl = HttpUtility.UrlEncode(hLnk.NavigateUrl);
                }
                else if (ctrl is LinkButton)
                {
                  LinkButton lButton = (LinkButton)ctrl;
 
                  if (lButton.Text.Length > 0)
                    lButton.Text = HttpUtility.HtmlEncode(lButton.Text);
                }
                else if (ctrl is Button)
                {
                  Button cButton = (Button)ctrl;
 
                  if (cButton.Text.Length > 0)
                    cButton.Text = HttpUtility.HtmlEncode(cButton.Text);
                }
              }
            } 
            else 
            {              
              // there are no controls in the table cell
              // HTMLEncode any available text
              if (tc.Text.Length > 0) 
              {
                if ("&nbsp;" != tc.Text) 
                  tc.Text = HttpUtility.HtmlEncode(tc.Text);
              }
            }
          }
          break;
        
        default:
          break;
      }
     }
   }
...

Page 441, Chapter 16: Securing Your Web Server, Section: Disable NetBIOS and SMB
http://msdn2.microsoft.com/en-us/library/aa302432.aspx (http://msdn2.microsoft.com/en-us/library/aa302432.aspx)

Following Note is added:

Note: Test your changes before implementing them in production. Disabling sharing or NetBIOS can negatively impact manageability for your scenario. For example, IIS uses the NetUserChangePassword API which depends on NetBIOS. If you permit users to change passwords through IIS, this will no longer work.

APPLIES TO
  • MSPRESS Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9
Back to the top
Keywords: 
kbdocfix kbdocerr KB867600
 

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations