Security-Conscious
.Net Validation

One of the most critical issues facing the Internet today and one that will affect its future growth is security. Too often, we see articles in the paper or on the Internet about data breaches that expose private data including credit card numbers and Social Security numbers. It can take those whose information is stolen years of work to clear up any damage done to their credit reports and their lives. While those attacks are often based on network security flaws, similarly damaging methods can be used through browser-based attacks on insecure websites. By sending malformed data in a web request, a hacker can modify or view confidential data in a site’s back-end datastore.

The Archer Group has established an ongoing process to continually review and improve internal security processes so our clients can be assured their customers’ data is secure. An action item from the most recent Archer Group internal “Security Summit” was to develop a series of data validators for the agency’s Microsoft .NET projects in order to ensure data submitted on client websites is both validly formatted and safe for server processing.

Completion of the action item involved a two-step approach: on the browser side, implementation of the jQuery validation plug-in. This industry-standard and tested code works with browsers to give the user immediate feedback as to the validity of the data they’re attempting to submit. It’s also extensible, meaning the addition of custom client-side validation methods within its framework is possible.

However, client-side validation is not enough on its own. Estimates indicate that up to five percent of Internet users turn off JavaScript in their browsers, thereby disabling jQuery which runs on top of the JavaScript engine. It is also relatively simple for a hacker to intercept data sent from their browser before it reaches the web server. Modifications to this data can then be made to bypass the requirements of jQuery validation.

Any web application security process must therefore include server-side validation logic. Microsoft has provided a number of validation controls in the .NET framework that provide both client and server-side validation functionality. These controls are flexible enough to cover virtually any situation necessary, but any customization of the validation requires manual coding by a developer. Additionally, not all Microsoft .NET web controls are validated by these tools, leaving gaps in what developers can do without coding. For example, .NET contains a CheckBoxList control to display a series of checkboxes but does not provide a way to ensure the user has selected one of those checkboxes. Archer’s new server-side security framework not only allows the developer to specify a minimum number of boxes that must be selected but also a maximum.

The goal in developing custom validation tools was to provide a framework that allows developers to utilize standard Microsoft control functionality while allowing the easy implementation of custom validation. To that end, Archer has developed a base validation interface that all Archer-specific validators can inherit from. This interface accepts a WebControl to validate, a WebControl to display the validation result, and an XMLDocument containing the messages to display for each potential validation result. Thus the validation framework can not only inform the user that an input is both invalid, but also why that input is invalid. After processing the control, the validator returns a ValidationResult object that includes references to the control being validated, where to display the result, the specific message and a Boolean (true/false) property indicating if the validation succeeded or failed.

There is also a page-level object which takes an XML document, storing the validation result messages (automatically assigning them to each validator on the page), the collection of validators, and the validation results. This object is assigned to a .NET CustomValidator object to link with the standard .NET framework validation process.

After setting up each validator by assigning its properties as appropriate, the call to process the validation and display the results can be done with a few simple lines of code:

//this validator failed, notify .NET validation process
e.IsValid = pv.ValidatePage();

foreach (ValidationResult vr in pv.ValidationResults)
{
if (!vr.Result)
{
//this validator failed, display error message
vr.lblErrorMessage.Text = vr.Message;
}
}

The new Archer validators cover a variety of standard situations for form validation:

  • Age Requirements – minimum and maximum, given a user’s birthday
  • Text formatting – alphabetic, numeric, alphanumeric, punctuation allowed etc.
  • Credit Card – validating both expiration dates and running the Luhn algorithm to test the number entered for proper format
  • Date Validation – checking for both format and any past/future date requirement
  • Email Address format
  • URL format
  • Phone Number format
  • Post Office Box format
  • CheckBoxList – both minimum and maximum number of selections
  • Requiring a certain number of multiple fields (again both a maximum and a minimum number of fields) – for a situation where a user is required to provide a few pieces of information in a list but not necessarily all

The new validators are utilized in addition to the built-in .NET validators. Like the jQuery front-end validation process, the code is easily expandable. The framework provides many benefits for Archer Group clients: use of standardized code will reduce development time and costs, enhanced security will make it less likely their sites will be compromised and their users will have an improved browsing experience.

* Paul Smith Contributed

Leave a Reply

Close Modal

Contact Archer

Close Modal

We know you're still using an older version of Internet Explorer. Do you know how much mind-blowing stuff you're missing because of this?

Save yourself. Upgrade now.
We'll help you...