Lab – ASP.NET Validation Controls
Objectives
After completing this lab, you should be able to:


Use validation controls to constrain user input and help prevent security holes.
Design your validation in a user friendly way
Overview
In this lab, you’ll work with a form that accepts various types of input from the user.
Your job is to constrain the input so that an attacker can’t easily slip malformed input into
your program. You will use ASP.NET validation controls to do this.
Scenario
In this scenario, you have a web form that services anonymous users on the Internet. The
form accepts several different types of data, all of which should be validated before being
accepted.
Setup
Open the before\ValidationControlsWeb.sln solution. This is a skeletal application where
you will do your work. There is also a fully completed lab in the after\ directory that you
can use to compare with your work if you get stuck.
Lab –ASP.NET Validation Controls
Using ASP.NET Validation Controls
1. Familiarize yourself with the application.
a. This is a simple web application with two forms. The first form,
CreateAccount.aspx, asks the user to submit some information in order to
create a new account. (There’s no real account being created here; you’re
going to be focused purely on input validation.) The second form lets the
user know their account was created successfully. For this lab, this simply
indicates that the input was acceptable.
b. From Solution Explorer, open CreateAccount.aspx in design mode so you
can see the form you’ll be working with. This is where you’ll spend the
majority of your time.
2. Run the application.
a. Right-click on CreateAccount.aspx and choose “View in Browser”. Enter
some bogus data that doesn’t make any sense and submit it. It will be
accepted without question because there’s currently no validation logic in
the application.
3. Add a new column to the data entry table to house a set of validation controls.
a. Right-click in the empty space to the right of any of the input fields.
b. Choose Insert | Column to the Right.
c. You should see a new column with seven vertical cells added, as shown
below:
4. Because all of the fields on the form are required, add a RequiredFieldValidator
for each input field.
a. For each of the six new cells next to an input field, one by one, click in the
cell to select it, then double-click the RequiredFieldValidator control from
the Toolbox. You can find this control under the Validation section in the
toolbox. Docking the toolbox is a good idea at this point. If you have a big
enough screen, consider docking the property sheet as well.
b. Do this for each cell that is next to an input field.
Lab –ASP.NET Validation Controls
5. Add a RegularExpressionValidator for the email address field.
a. Click in the empty space to the right of the RequiredFieldValidator next to
the email field.
b. Double-click RegularExpressionValidator to add one into the cell.
c. With the new validator selected, press F4 to view its properties.
d. Set the ValidationExpression to an Internet Email Address. You can select
this by pressing the “…” button that shows up when you click in the
ValidationExpression field.
e. Set the ErrorMessage to “Please enter a valid email address.”
6. Add a RegularExpressionValidator for the phone number field.
a. Click in the empty space to the right of the RequiredFieldValidator next to
the phone number field.
b. Double-click RegularExpressionValidator to add one into the cell.
c. With the new validator selected, press F4 to view its properties.
d. Select an appropriate ValidationExpression. The lab solution uses a U.S.
Phone Number.
e. Set the ErrorMessage to “Please enter a phone number in the form 111111-1111.” (or whatever format you chose).
7. Add a RangeValidator for the Age field.
a. Click in the empty space to the right of the RequiredFieldValidator next to
the age field.
b. Double-click RangeValidator to add one into the cell.
c. With the new validator selected, press F4 to view its properties.
d. Select “Integer” for the Type.
e. Set MinimumValue to 1.
f. Set MaximumValue to 135.
g. Set the ErrorMessage to “Please enter your age in years.”
8. Add a RangeValidator for the Date of Purchase field.
a. Click in the empty space to the right of the RequiredFieldValidator next to
the age field.
b. Double-click RangeValidator to add one into the cell.
c. With the new validator selected, press F4 to view its properties.
d. Select “Date” for the Type.
e. Set both the MinimumValue to 1/1/2000.
f. Leave the MaxiumumValue blank for now. You’ll set it in your code at
runtime based on the current date.
g. Set the ErrorMessage to “Valid purchase dates are between 1/1/2000 and
the present.”
h. Set this RangeValidator’s ID to valPurchaseDate. You’re going to use it in
your code, and RangeValidator2 isn’t a very helpful name.
Lab –ASP.NET Validation Controls
9. Mark all of your validation controls dynamic.
a. Select the validation control for the first name (it’s a
RequiredFieldValidator).
b. Hold down the control key and carefully click each of the other validation
controls. Be sure to get all of them (there are ten), as some of the cells
have more than one.
c. Press F4 to display the combined properties of the selected controls.
d. Double-click the Display property to switch it to Dynamic. This will make
the form look a little nicer in the places where there are multiple validation
controls.
e. Press ESC a couple of times to deselect the controls.
10. Set the ErrorMessage property for each RequiredFieldValidator. This is the
message that will be displayed if the user doesn’t provide input for the field.
a. For each RequiredFieldValidator, use a message like this: “First name is a
required field”, replacing “First name” with the field name for the
validator. You can speed this up a bit by putting a generic message like
“Foo is a required field.” on all of the validators using multiple selection,
then going back and replacing Foo with the name of the control. Just be
sure to hit ESC a couple of times to cancel the multiple selection when
you’re ready to tweak individual controls.
b. Here’s what things should look like when you’re done with this step:
11. Wire up the validators to their corresponding controls.
a. One by one, for each cell with one or more validators in it, select all the
validators in that particular cell, and press F4 to bring up a property sheet.
b. In the ControlToValidate property, drop down the selector and pick the
control to the left (txtFirstName, for example).
Lab –ASP.NET Validation Controls
12. Add a ValidationSummary control to the form.
a. Click in the area shown below:
b. Double-click the ValidationSummary from the toolbox to add it to the
form.
c. Set the HeaderText property to “We're sorry, but there are a few things on
your application that need to be changed before we can process it. Please
see the messages below:”
13. Set the MaximumValue for the Date of Purchase field dynamically at runtime.
a. Press F7 to switch to the code behind the CreateAccount form.
b. In the Page_Load method, set the valPurchaseDate.MaximumValue to
today’s date. This is a string field, and you’ll probably want to format the
date so that the time doesn’t factor in:
valPurchaseDate.MaximumValue = DateTime.Now.ToString("MM-dd-yyyy");
14. Before redirecting to the AccountAccepted page, check that the form is valid.
a. In the btnCreate_Click handler, wrap the redirect with an If statement that
checks whether the page is valid:
if (IsValid) {
Response.Redirect("AccountAccepted.aspx");
}
15. Run the application and test your validation logic.
a. Press Ctrl-Shift-B to save and check the syntax of your app. Fix any
problems that you find.
b. Right-click CreateAccount.aspx in Solution Explorer and choose “View in
Browser”.
c. Note that as you move from field to field, you’ll be notified if you’ve
improperly formatted any fields.
d. When you submit the form, if there’s anything missing or misformatted,
the ValidationSummary control will point you to the problem. This is
particularly important with longer forms where the individual validation
control can’t be seen without scrolling the form down.
Lab –ASP.NET Validation Controls
16. Turn off client-side validation and see what happens when an attacker goes
around the javascript.
a. Back in design view, carefully select all of your validation controls as you
did in step 9.
b. Double-click the EnableClientScript property to turn off client-side script
for all of your validation controls.
c. Press Ctrl-Shift-B to save and syntax check your app.
d. Refresh your browser and try the app again. You won’t get nearly as much
immediate feedback as you move from field to field, but when you submit
the form, the server-side validation will kick in and the end result will look
the same as before. The attacker cannot get around the server-side
validation without compromising the server itself!
Conclusion
In this lab, you used ASP.NET validation controls to constrain user input in a friendly
way. The beauty of these controls is that they use client-side validation to give the user
immediate feedback and prevent malformed requests from ever reaching your server,
which is great for scalability. But even if a determined attacker gets around the client-side
validation, the server-side validation still kicks in.
Keep that in mind whenever building validation logic. Server-side validation is for
security. Client-side validation is for a great user experience and a scalable app. Combine
them to get the best of both worlds by using ASP.NET validation controls!
Resources


Patterns & Practices Security Guidance
Essential ASP.NET, Onion