Microsoft KB Archive/867600

= IMPROVING WEB APPLICATION SECURITY: THREATS AND COUNTERMEASURES: Corrections and Comments =

Article ID: 867600

Article Last Modified on 5/8/2007

-

APPLIES TO


 * MSPRESS Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9

-



SUMMARY
This article contains comments, corrections, and information about known errors relating to the Microsoft Patterns & Practices book Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9

Web version of the book is updated as we find the errors. You may find many or all of the errors below already corrected in the web version of the book on MSDN.

The following topics are covered:
 * Page 273, Chapter 10: Building Secure ASP.NET Pages and Controls, Section: Data-Bound Controls, Complete Section
 * Page 441, Chapter 16: Securing Your Web Server, Section: Disable NetBIOS and SMB



MORE INFORMATION
Page 273, Chapter 10: Building Secure ASP.NET Pages and Controls, Section: Data-Bound Controls, Complete Section

http://msdn2.microsoft.com/en-us/library/aa302426.aspx

Change:

Data-bound Web controls do not encode output. The only control that encodes output is the TextBox control when its TextMode property is set to MultiLine. If you bind any other control to data that has malicious XSS code, the code will be executed on the client. As a result, if you retrieve data from a database and you cannot be certain that the data is valid (perhaps because it is a database that is shared with other applications), encode the data before you pass it back to the client.

To:

Data bound controls are web controls that are bindable to data components through a public inherited ‘DataSource’ property. To mention a few, you will find DataGrid, ListBox and DropDownList to be used very often. Not all data bound controls perform encoding when displaying data retrieved from a bound data component; thus, it will be your responsibility to perform encoding on non-trusted data components in order to prevent XSS attacks. For example, a data component cannot be trusted in a scenario where different applications share a single database. If an attacker has the ability to insert malicious XSS code into the database (by abusing a vulnerability in one of the applications, for instance) all applications using non-encoding web controls bound to it, will turn vulnerable. Only avoid encoding if you can be certain that the output from the data component will always be valid.

Examples of data bound controls that do not perform encoding are DataGrid, DataList, RadioButtonList and CheckBoxList. Performing encoding for a data bound control may vary depending on each specific control. For example, for a DataGrid control, you have the following options:


 * Turn all columns into templates and manually use HtmlEncode/UrlEncode on each call to DataBinder.Eval
 * Override one of its DataBinding methods, such as OnDatabinding or OnItemDataBound and perform encoding on its items. The following example illustrates how to override the OnItemDataBound method of a DataGrid control in order to encode its items by either using HtmlEncode or UrlEncode when required:

... [DefaultProperty(&quot;Text&quot;), ToolboxData(&quot;&quot;)] public class DataGrid : System.Web.UI.WebControls.DataGrid {   ///     /// The ItemDataBound event is raised after an item is data bound to the DataGrid /// control. This event provides you with the last opportunity to access the data /// item before it is displayed on the client. After this event is raised, the data /// item is nulled out and no longer available. - .NET Framework Class Library ///    ///  protected override void OnItemDataBound(DataGridItemEventArgs e)   { base.OnItemDataBound (e); switch (e.Item.ItemType) {       case ListItemType.Item: case ListItemType.AlternatingItem: case ListItemType.EditItem: case ListItemType.SelectedItem: case ListItemType.Footer: case ListItemType.Header: case ListItemType.Pager: // even though not all of these ListItemTypes are data bound, // perform HtmlEncode or UrlEncode on each control. If there are // no controls, we perform HtmlEncode on any available text. // Also, don't let 's be encoded. TableCellCollection cCells = e.Item.Cells; foreach (TableCell tc in cCells) {           if (tc.Controls.Count > 0) {             foreach (Control ctrl in tc.Controls) {               // don't perform HtmlEncode on URL's                if (ctrl is HyperLink) {                 HyperLink hLnk = (HyperLink)ctrl; if (hLnk.Text.Length > 0) hLnk.Text = HttpUtility.HtmlEncode(hLnk.Text); if (hLnk.NavigateUrl.Length > 0) hLnk.NavigateUrl = HttpUtility.UrlEncode(hLnk.NavigateUrl); }               else if (ctrl is LinkButton) {                 LinkButton lButton = (LinkButton)ctrl; if (lButton.Text.Length > 0) lButton.Text = HttpUtility.HtmlEncode(lButton.Text); }               else if (ctrl is Button) {                 Button cButton = (Button)ctrl; if (cButton.Text.Length > 0) cButton.Text = HttpUtility.HtmlEncode(cButton.Text); }             }            }             else {                           // there are no controls in the table cell // HTMLEncode any available text if (tc.Text.Length > 0) {               if (&quot; &quot; != tc.Text) tc.Text = HttpUtility.HtmlEncode(tc.Text); }           }          }          break; default: break; }    }   } ...

Page 441, Chapter 16: Securing Your Web Server, Section: Disable NetBIOS and SMB

http://msdn2.microsoft.com/en-us/library/aa302432.aspx

Following Note is added:

Note: Test your changes before implementing them in production. Disabling sharing or NetBIOS can negatively impact manageability for your scenario. For example, IIS uses the NetUserChangePassword API which depends on NetBIOS. If you permit users to change passwords through IIS, this will no longer work.

Additional query words: 0-7356-1842-9 0735618429 web application security

Keywords: kbdocfix kbdocerr KB867600

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.