Acceptable security: Disable ValidateRequest with Paramatised SQL and HTML Encoded Strings?

Question

I'm trying to make sure my webforms ASP.NET application is as secure as possible, it receives and stores user input data to a SQL database (the usual stuff) only for users with a login, so not available to the general public.

By disabling ValidateRequest for input pages, I appreciate there's a risk of XSS attacks - All the SQL queries are parameterised, so are safe from SQL Injection (correct?).

Rather than using the Anti-XSS libary, can I just use HTMLencode on the input text? Do I then store the HTMLencoded string?

Or am I looking at it the wrong way? Should I store the users input verbatim, and then HTMLencode or XSS-HTMLencode anytime it is output to a browser?

Answer 1

OK, reading around it appears that common wisdom is to store the input verbatim, make no adjustments what-so-ever, simply parameterise to protect against SQL Injections.

Some good comments here: What are the best practices for avoiding xss attacks in a PHP site

Then either HTML Encode (seems vunerable), or use the XSS-Library to encode the output - As said in the link above, the destination for the data may not be a browser at some later point.

Then using the example of XSS attacks here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet input some of these to the database, and read back to the browser. With the right encoding you should see the text, and not have a script executed.

Answer 2

Taking into account that Injection and XSS attacks hold two first spots in the OWASP top 10 you need to be very careful then you disabling Request Validation in asp.net.

First don't disable request validation unless it really needed. You have to have a reason to do it. Request validation is a native mechanism against XSS type of attacks.

Second always do white list validation for all input fields, which allowed to go through only acceptable charters.

There will be a cases then you need to let go through characters like '<' or '>', which is potentially dangerous.

So you have to always encode output if you display it on the page. Always. That's prevent from JavaScript (if the one was inserted into the input) to be executed.

Parameterised queries have to be used along with aforementioned white-list validation and output encoding in order to prevent sql injection attacks.

Also don't do any dynamic query construction (dynamic sql) inside sql stored procedure.

And make sure that all you DB users and sql stored procedures has an appropriate level of access to the DB resources (the least possible access rights approach).