Q

Alternatives to server-side includes for ASP.NET

ASP.NET doesn't have traditional server-side includes. Instead, expert Dan cornell says, you can use Web controls to help you safely reuse files.

I want to use server-side includes, but how do I do it safely so that it's protected from injection exploits, for example?

ASP.NET doesn't have traditional server-side includes. You have the ability to write Web controls that you can include in top-level pages. In cases such as this, you have to specify the Web control statically so that it can be compiled along with the containing page so there aren't many risks of injection attacks specific to using the Web control. Hopefully this will serve all of your server-side include needs.

However, if you need more dynamic server-side include capabilities, you can leverage the Response.WriteFile method to include the content of arbitrary files into the stream being sent back to the browser. See this MSDN article for more information.

Basically the code looks like this:

... preceding content ...
<%
       Response.WriteFile(filenameVariable)
%>

... following content ...

This will allow you to dynamically choose the name of a file to include.

As with avoiding all injection flaws, data validation is crucial. You want to positively validate that 'filenameVariable' meets standards you set out. One suggestion is to use regular expressions to verify that the filename to be included only includes alphanumeric characters and possibly '.' characters. Just checking for well-known malicious sequences such as "../" is not good enough. With the various character sets and encodings used along the inputs path to reaching this code, you run the risk of canonicalization issues.

One other thing to note is that the contents of the included files are simply sent along verbatim -- there is no server-side processing. So if the included file contains ASP.NET code, the code will not be executed and will instead be disclosed to the remote user.

Using ASP.NET Web controls can help you to safely reuse code in the style of server-side includes. If you must have more dynamic control, be sure to carefully and positively validate the names of the files to be included. Also, be sure that included files don't contain any server-side code because it will not be processed.

More information:
This was first published in December 2006

Dig deeper on Building security into the SDLC (Software development life cycle)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSOA

TheServerSide

SearchCloudApplications

SearchAWS

SearchBusinessAnalytics

SearchFinancialApplications

SearchHealthIT

Close