How to Protect Your Application Against Parameter Injection
by Gal Ratner
Securing your web application against the hackers of the world is a difficult task. Authentication mechanisms,
sessionIds, and user accounts are a few of the options that are available to you for your efforts. However, the
most common technique of remotely manipulating an application is parameter injection. So, for example, let's say
you are viewing a transaction of customer #448, and your URL looks something like:
What is to stop customer 448 from typing in 449, let's say, and viewing another customer's transaction details?
The situation can even escalate into typing in complete SQL statements and executing them inside the original
statements you have coded. Well, this article isn't here to magically solve your problems and completely seal
your sensitive data. Checking for let's say a customer sessionID and matching it against the URL and the page
will still have to be done by you. However, this article will demonstrate a simple method of checking for valid
parameters in an already written application. It can be easily plugged in to any website and even if the website
contains hundreds of pages, it can still be a very effective tool in your efforts against hackers. The idea behind
it is very simple and includes three components.
The Validation Class
This class contains static methods to check for valid values. For example, if you are expecting a string that
is twenty characters long, it can check it for you and notify the application every time it encounters an invalid
string on any page. There are several methods implemented in the example code. However, you can add your own
and customize them to your needs.
Web.config
This is the file where you keep all of your application keys. So for example, if we would like to check for a
customerID and make sure it is an integer, we would add a key named <safeParameters> and set its value to
orderID-int32. Now every time our application will encounter an orderID parameter it will automatically check
to see if it has a valid integer value.
Global.asax
This file will contain a utility method to match all of our known parameter types to their value. This
method will be called isValidParameter. Every time a page is being requested, this method will be executed
and will then notify the application if the parameter is valid.
The idea behind those three components working together is very simple, and it goes something like this:
prepare all your utility methods to check for valid parameters, define all your valid parameters and check
for valid values on each page, take into consideration that if you are using a customerID in twenty pages
out of your application, they all must be of an integer value. Plugging these components into your application
is fairly simple and will ensure that an already up and running website will prompt you every time a hacker
tries to change a query string regardless of whether your programmers have checked for valid parameters or not.
Bear in mind that this is a plug-in, and like all plug-ins it will take its toll on your application performance.
A true secure application will embed any security methods inside the page object only using utility classes to
assist. However, if invalid parameters are a problem for you, then this is your solution.
How to Implement the Example
Step 1: Add a new utility class and copy and paste the code in parameterCheck.cs into it. Do not forget to change the namespace to fit the needs of the application.
public class parameterCheck{
public static bool isEmail(string emailString){
return System.Text.RegularExpressions.Regex.IsMatch(emailString, "['\\w_-]+(\\.['\\w_-]+)*@['\\w_-]+(\\.['\\w_-]+)*\\.[a-zA-Z]{2,4}");
}
public static bool isUSZip(string zipString){
return System.Text.RegularExpressions.Regex.IsMatch(zipString ,"^(\\d{5}-\\d{4})|(\\d{5})$");
}
}
Step 2: On your Web.config file, add a key under the <appSettings> tag. This key will contain all of the parameters you wish to check for and the types they need to be. The name of the key is <safeParameters>, and the value can be for example: "ordered-int32,customerEmail-email".
Step 4: Copy and paste the method isValidParameter into your Global.asax file. Implementation of this method can be and should be customized by you for your needs.
if(parameterType.Equals("int32")){
if(!parameterCheck.isInt(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("double")){
if(!parameterCheck.isDouble(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("USzip")){
if(!parameterCheck.isUSZip(parameterValue)) Response.Redirect("parameterError.aspx");
}
else if (parameterType.Equals("email")){
if(!parameterCheck.isEmail(parameterValue)) Response.Redirect("parameterError.aspx");
}
}
That's it! You have just secured your application against parameter injection. And although the final implementation of the utility methods is totally up to you and your needs, this little mechanism will certainly do the job of protecting an already written and deployed application and it doesn't matter how many pages or directories it may have.
About the Example
The example contains three files: Global.asax, Web.config, and parameterCheck.cs. Please look at the files' default implementation to understand whether or not you need custom methods.
You can download the example files from here: parameterinjection.zip (3.4 KB).
About the Author
Mr. Gal Ratner graduated from the Technion Institute in Israel and has been writing software for over 10 years.
He is the founder and CEO of
Inverted Software
located in southern California, which consults to large organizations.
