Secure your forms in ASP.NET

by Mads Kristensen 25. July 2007 21:11

Do we really need CAPTCHA's to prevent robots posting to our web forms? Not if you run ASP.NET 2.0. Whether you use a form for member logins, blog comments or a web shop you want to keep it as secure and tamper proof as possible. Brute force attacks on a login form performed by robots or spammers on the blog comments are scenarios you can avoid by leveraging existing ASP.NET 2.0 features.

Event validation

Event validation makes sure that a postback comes from a control on the page and not a direct POST request sent by an application (read robot).

ASP.NET has event validation turned on by default, but many people turn it off for various reasons. One reason is that their web application registers exceptions caused by the event validation. So does mine, but that is when an unauthorized post request is performed. Don’t turn it off.

ViewstateMAC

When ViewStateMAC is enabled it encrypts the ViewState so it cannot be tampered with by evil doers. ViewStateMAC is not enabled by default, so you have to do it in web.config manually like so:

<pages enableViewStateMac="true" />

When enabling ViewStateMAC you must also add a machine key to the web.config so that all the servers in a webfarm use the same encryption and decryption key. Otherwise you can end up with invalid ViewState. Here is an example on such a machine key.

<machineKey validationKey="D9F7287EFDE8DF4CAFF79011D5308643D8F62AE10CDF30DAB640B7399
BF6C57B0269D60A23FBCCC736FC2487ED695512BA95044DE4C58DC02C2BA0C4A266454C"
      decryptionKey="BDAAF7E00B69BA47B37EEAC328929A06A6647D4C89FED3A7D5C52B12B23680F4"
      validation="SHA1" decryption="AES"
    />

You can take it a step further and add a user key to the ViewState. That locks the ViewState to a single user and makes it even harder to tamper with. Read more on the user key here.

All the rest

These are two build-in technologies that can be used, but you still have to do your custom form field validation etc. No CAPTCHA is needed when using these two techniques. All it requires is that you use a <form runat="server"> and the standard postback feature of ASP.NET to post the form. If you don't believe me, try it out. It does eliminate the use of CAPTCHA's.

* Only $4.95/month ASP.NET & Windows 2008 + IIS 7 Hosting! FREE SQL Included

Tags: , ,

ASP.NET | Security

Submit to DotNetKicks...
Permalink | Comments (5)

Comments

7/27/2007 12:10:30 AM #

Josh Stodola

Thanks Mads, I hate CAPTCHA more than anything.  Please enlighten me on where/how you come up with that key used in web.config for enabling ViewstateMAC.  Thanks!

Josh Stodola United States |

7/27/2007 4:18:33 AM #

Mads Kristensen

Hi Josh, you can use this online machinekey generator http://aspnetresources.com/tools/keycreator.aspx

Mads Kristensen Denmark |

7/30/2007 3:50:13 AM #

Andreas Kraus

Hi Mads, will you still be able to receive Trackbacks and Pingbacks when using the Event Validation technique?

Best regards,
Andreas

Andreas Kraus Germany |

7/30/2007 3:53:43 AM #

Mads Kristensen

Trackback- and pingback receivers are usually implemented in HttpHandlers that doesn't know about event validation, which only applies to pages and controls. In that case they will work as usual.

Mads Kristensen Denmark |

8/11/2007 2:50:04 PM #

pingback

Pingback from carlovella.com

Carlo Vella’s Bits and Bytes   » Tips and Tricks: Secure your forms in ASP.NET

carlovella.com |

Comments are closed

About the slave

Mads Kristensen Mads Kristensen
Web developer at ZYB and founder of BlogEngine.NET. More...

LinkedIn ZYB Facebook Last.fm Twitter View Mads Kristensen's profile on Technorati

The Lounge

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

© Copyright 2008