Ask the Expert

Alternatives to server-side includes for ASP.NET

I want to use server-side includes, but how do I do it safely so that it's protected from injection exploits, for example?

    Requires Free Membership to View

ASP.NET doesn't have traditional server-side includes. You have the ability to write Web controls that you can include in top-level pages. In cases such as this, you have to specify the Web control statically so that it can be compiled along with the containing page so there aren't many risks of injection attacks specific to using the Web control. Hopefully this will serve all of your server-side include needs.

However, if you need more dynamic server-side include capabilities, you can leverage the Response.WriteFile method to include the content of arbitrary files into the stream being sent back to the browser. See this MSDN article for more information.

Basically the code looks like this:

... preceding content ...
<%
       Response.WriteFile(filenameVariable)
%>

... following content ...

This will allow you to dynamically choose the name of a file to include.

As with avoiding all injection flaws, data validation is crucial. You want to positively validate that 'filenameVariable' meets standards you set out. One suggestion is to use regular expressions to verify that the filename to be included only includes alphanumeric characters and possibly '.' characters. Just checking for well-known malicious sequences such as "../" is not good enough. With the various character sets and encodings used along the inputs path to reaching this code, you run the risk of canonicalization issues.

One other thing to note is that the contents of the included files are simply sent along verbatim -- there is no server-side processing. So if the included file contains ASP.NET code, the code will not be executed and will instead be disclosed to the remote user.

Using ASP.NET Web controls can help you to safely reuse code in the style of server-side includes. If you must have more dynamic control, be sure to carefully and positively validate the names of the files to be included. Also, be sure that included files don't contain any server-side code because it will not be processed.

More information:

This was first published in December 2006

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: