How to sanitize inputs before request validation enters in place in MVC 4?

Question

I have my application and from the security testing team I got a bug reported about the possibility for a user to inject malicious code from our forms inputs. The application is developed in ASP.NET MVC4, .NET 4.5 and EF 5.

The attack being tested is like any usual html being entered, but instead of using the regular < or >, my coworker is using ＜ and ＞ (the fullwidth unicode versions of the previous characters: here for the full list). MVC lets these characters get through and then, somehow, the ORM removes the "wide" portion of the character and leaves the standard and plain characters get into the DB. Needless to say that if not correctly encoded in the output of a view, the retrieval and rendering of these characters can lead to XSS vulnerations.

What I need now is a way to sanitize and perform a Normalize() of all the strings being submitted in any form in the application. Some people told me to create a custom model binder, but in the BindModel method I couldn't find a spot to modify the fields so later, the framework could recognize the cleansed values and recognize the injection.

Any suggestion will be much appreciated.

Answer 1

You can provide your custom request validation instead.

public class NormalizingRequestValidator : RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        return base.IsValidRequestString(context, value.Normalize(NormalizationForm.FormKC), requestValidationSource, collectionKey, out validationFailureIndex);
    }
}

In web.config

<system.web>
     <httpRuntime targetFramework="4.5" requestValidationType="YourNamespace.NormalizingRequestValidator, YourAssembly" />
</system.web>

If also want to normalize the string you receive in your controllers, implement a custom ValueProviderFactory. See What’s the Difference Between a Value Provider and Model Binder?

Note: if you choose to only implement a ValueProviderFactory, you will have to call RequestValidator.Current to manually validate the normalized string.