Alternatives to server-side includes for ASP.NET

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Building security into the SDLC (Software development life cycle) Problems caused by skipping analysis stage of SDLC Inexpensive phase of SDLC to catch and fix bugs GatherSpace beefs up cloud-based requirements management ALM: Best of breed vs. complete systems Software development life cycle phases, iterations, explained step by step The role of quality assurance (QA) pros in software security Common software security risks and oversights Why the quality assurance department should be involved in testing How to develop secure applications Secure software development practices 'not rocket science' Application Security Beating software's cross-site scripting, authentication problems Expert resolves issues plaguing OpenSTA users What is fuzz testing? What are some ways to use fuzz testing? How do I convince management to take application security seriously? How do I set up a secure login page using membership in ASP.NET? Security testing sales, marketing websites Are there application security certification standards? Top tools for testing Web application security How to prevent HTTP response splitting PCI DSS compliance: WAF, code review or both?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ASP.NET doesn't have traditional server-side includes. You have the ability to write Web controls that you can include in top-level pages. In cases such as this, you have to specify the Web control statically so that it can be compiled along with the containing page so there aren't many risks of injection attacks specific to using the Web control. Hopefully this will serve all of your server-side include needs.

However, if you need more dynamic server-side include capabilities, you can leverage the Response.WriteFile method to include the content of arbitrary files into the stream being sent back to the browser. See this MSDN article for more information.

Basically the code looks like this:

... preceding content ...
<%
       Response.WriteFile(filenameVariable)
%>
... following content ...

This will allow you to dynamically choose the name of a file to include.

As with avoiding all injection flaws, data validation is crucial. You want to positively validate that 'filenameVariable' meets standards you set out. One suggestion is to use regular expressions to verify that the filename to be included only includes alphanumeric characters and possibly '.' characters. Just checking for well-known malicious sequences such as "../" is not good enough. With the various character sets and encodings used along the inputs path to reaching this code, you run the risk of canonicalization issues.

One other thing to note is that the contents of the included files are simply sent along verbatim -- there is no server-side processing. So if the included file contains ASP.NET code, the code will not be executed and will instead be disclosed to the remote user.

Using ASP.NET Web controls can help you to safely reuse code in the style of server-side includes. If you must have more dynamic control, be sure to carefully and positively validate the names of the files to be included. Also, be sure that included files don't contain any server-side code because it will not be processed.

• How .NET developers can address security
• Malicious code injection: It's not just for SQL anymore
• The importance of input validation