When creating a web application that accepts input from users one important step to ensure that you application is secure, is assigning a maximum length to user input. Keep in mind that input length validation is just the tip of a very large iceberg when it comes to web application security, but it is a good first step. It’s safe to say that if someone is trying to put in 1200 characters for their first name that something fishy is going on.
As much as I love ASP.NET I’ve found that it can easily lull some programmers into a false sense of security when it comes to input length validation. To demonstrate what I am talking about I have put together a small application that will show how simple it is to pass longer than expected input to an application that would appear (to the uninformed programmer at least) to limit input length.
To begin I have created the basic aspx page below. Notice the MaxLength attribute that is highlighted in red:
It’s funny how people think they’re so unique. I just found out my cousin Abe (say hello to him at abemiester.com)–who I’ve spoken to all of about 3 times for a grand total of less than 10 minutes since we were children–is not only in IT, but is heavily interested in Application Security. This happens to be what I do for a living as well.
Check out this post of his on how .NET tries to pass off client-side testing as “validation”. Indeed, Abe. If you didn’t check on the server side, you didn’t check.