locked
Is there any security issue if we allow our login action method to accept unsafe words using the [ValidateInput(false)] RRS feed

  • Question

  • User-540818677 posted

    I am working on an as.net MVC-4 application, and for the login i am integrating with our active directory using Ldap connection string. now i have not faced any problem with users login, and we had more than 150 users accessing the system for more than 4 years. but lately a user reported that he is receiving "Error while processing your request", when he tried to login. so the only scenario i can think of, is that MVC is rejecting the password. also if i try to login using my username and i entered a password as follow "<script>1234</script>",then  instead of receiving this message "The user name or password provided is incorrect." , i got this error "Error while processing your request". while the later error in our case will be raised if there is unhandeled exception in the system. also if i login to the system from the hosting server and i try to login by passing this password "<script>1234</script>", i got this error  (since we enable custom error messages on remote servers only), so this error is more comprehensive:-

    A potentially dangerous Request.Form value was detected from the client (Password="<script>"

    now i tried to do a test where i added this [ValidateInput(false)] to my login action method, and it fixed the problem from my side, where if i type this password "<script>1234</script>", i will get this error message "The user name or password provided is incorrect." instead of getting an exception. and i am pretty sure that this will also fix the user issue as well..

    but my question is if adding [ValidateInput(false)] at the top of my login post action method is fine? or it can poses security issue. now i am not stroring the password and i am not showing it to the user.

    here is our login Get & Post action methods:-

    [AllowAnonymous]
    public ActionResult Login(string returnUrl)
    {
        returnUrl = TempData["returnUrl"] != null ? TempData["returnUrl"].ToString() : String.Empty;
        List<String> domains = new List<String>();
        domains.Add("*****");
        ViewBag.ReturnUrl = returnUrl;
        ViewBag.Domains = domains;
        return View();
    }
    
    
    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    // **** i am planning to add [ValidateInput(false)] !! **** public ActionResult Login(LoginModel model, string returnUrl) { MembershipProvider domainProvider; domainProvider = Membership.Providers["TestDomain1ADMembershipProvider"]; if (ModelState.IsValid) { // Validate the user with the membership system. if (domainProvider.ValidateUser(model.UserName, model.Password)) { FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe); } else { ModelState.AddModelError("", "The user name or password provided is incorrect."); List<String> domains2 = new List<String>(); domains2.Add("****"); ViewBag.Domains = domains2; return View(model); } return RedirectToLocal(returnUrl); } List<String> domains = new List<String>(); domains.Add("****"); ViewBag.Domains = domains; return View(model); }

    thanks

    Tuesday, February 5, 2019 1:13 PM

All replies

  • User-2054057000 posted

    When you do [ValidateInput(false)] on the controller or it's action then user can enter unsafe words in text boxes which are posted to the server. Like user can enter <script> tag on the textboxes. By default asp.net has placed it's security to not allow such keywords to be posted to server. 

    It is unsafe and hackers can exploit this. So I do not recommend you to use [ValidateInput(false)] to loosen this security.

    Tuesday, February 5, 2019 3:45 PM
  • User-540818677 posted

    yogyogi

    When you do [ValidateInput(false)] on the controller or it's action then user can enter unsafe words in text boxes which are posted to the server. Like user can enter <script> tag on the textboxes. By default asp.net has placed it's security to not allow such keywords to be posted to server. 

    It is unsafe and hackers can exploit this. So I do not recommend you to use [ValidateInput(false)] to loosen this security.

    As mentioned in the comment inside my code, i will be doing so on the action method only (the POST Login action method) and not on the controller level.

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    // **** i am planning to add [ValidateInput(false)] !! ****
    public ActionResult Login(LoginModel model, string returnUrl)

    also let view this from a different angel, let say I did not add [ValidateInput(false)] on the login post action method, then users who have passwords containing unsafe words will not be able to login... since active directory allow these unsafe words, and i have my login connected to our AD through the ldap connection string, then my application will have a problem if i do not allow passing passwords which contain unsafe words. is this correct?

    Tuesday, February 5, 2019 3:55 PM
  • User475983607 posted

    also let view this from a different angel, let say I did not add [ValidateInput(false)] on the login post action method, then users who have passwords containing unsafe words will not be able to login... since active directory allow these unsafe words, and i have my login connected to our AD through the ldap connection string, then my application will have a problem is i do not allow passing password which contain unsafe words. is this correct?

    Seems pretty straight forward.  I assume the password is readonly and treated as a string parameter.  the web application must accept the same characters as the AD login otherwise you are left with a bug.

    Tuesday, February 5, 2019 3:59 PM
  • User-540818677 posted

    johnjohn123123

    also let view this from a different angel, let say I did not add [ValidateInput(false)] on the login post action method, then users who have passwords containing unsafe words will not be able to login... since active directory allow these unsafe words, and i have my login connected to our AD through the ldap connection string, then my application will have a problem is i do not allow passing password which contain unsafe words. is this correct?

    Seems pretty straight forward.  I assume the password is readonly and treated as a string parameter.  the web application must accept the same characters as the AD login otherwise you are left with a bug.

    so you are with the appraoch on adding [ValidateInput(false)] on the login post action method? is this correct?

    Tuesday, February 5, 2019 11:12 PM
  • User475983607 posted

    so you are with the appraoch on adding [ValidateInput(false)] on the login post action method? is this correct?

    Again, it's fine as long as the inputs are readonly which seems to be the case.  If you render the input value, in an error message for example, that could be a problem.

    Tuesday, February 5, 2019 11:16 PM
  • User1520731567 posted

    Hi johnjohn123123,

    ValidateInput

    The ValidateInput attribute can be applied to a Controller’s Action method and it will disable the validation by ASP.Net MVC only for that particular Action method.

    Advantages

    The Scope is limited to specific Action method of the Controller class. If you have multiple properties accepting HTML content, then this method will reduce redundancy. When Model class is not used for designing Form elements then this attribute is needed.For complete details Link.

    but my question is if adding [ValidateInput(false)] at the top of my login post action method is fine? or it can poses security issue. now i am not stroring the password and i am not showing it to the user.

    As far as I know,this is the easiest way. I can't say it absolutely, but at the moment I haven't seen a case mentioned a security risk.

    And you could also use AllowHtml:

    The AllowHtml attribute can be applied to a Model property and it will disable the validation by ASP.Net MVC only for that particular property

    Advantages 

    The AllowHtml attribute is developed for Model class. The Scope is limited to specific property of the Model class. It is the safe and recommended solution.

    More details about ValidateInput(false) and AllowHtml,you could refer to:

    https://stackoverflow.com/a/30522282

    Best Regards.

    Yuki Tao

    Wednesday, February 6, 2019 8:02 AM