January 24, 2005

Creepy one

I just noted a weird thing in microsoft.public.dotnet.xml newsgroup. Somebody who identifies himself as Paja, posts the same question (verbatim!) to the newsgroup once in a month or so. He's got answers, but never replies, but keeps posting it again. Take a look here - Oct 17 2004, Nov 7 ...

January 23, 2005

Mitigating XPath Injection Attacks in .NET

It's already 2005 and everybody's aware of SQL injection attacks nowadays. But it's silly to think that this kind of attack is only about SQL, right? SQL injection is just one particular case of a general code injection attack - when somebody too gullible allows user input to become a ...

I'm not going to explain what XPath injection attack is, it should be clear now or if it isn't - just go and read "Blind XPath Injection" paper by Amit Klein. I'd like to show you how to mitigate such kind of attacks in your .NET code.

So, considering above XPath selection, how would you defend your system from an evil user with fancy ' or ''=' as his name and password? All input is evil, so you definitely need to validate input fields before running SelectNodes, e.g. by checking if it doesn't contain apostrophes, but after all that's just a defensive kind of actions, which only patches some currently known vulnerabilities, while preserving unsecure code intact inviting hackers to come up with something slightly different, like using ' instead of apostrophes. A much better way to mitigate XPath injection attacks is to stop building dynamic XPath expressions from user input. Just as with SQL, the solution is simple - use parameters instead. Compile parametrized XPath expression and pass user input as a parameter value, not as part of expression. In addition to safety this aproach also nicely saves you CPU cycles on recompiling XPath expression for each selection.

.NET has everything for doing XPath selections that way. But unfortunately the XsltContext API isn't really intuitive one and is poorly documented. Happily there are XML MVPs around :). So Daniel Cazzulino has created handy DynamicContext class, which you can find in recently released Mvp.Xml v1.0 library, particulary in the Mvp.Xml.Common.XPath namespace. Read excellent Daniel's explanation for more info. I only want to show you couple of lines that leverage that class. Instead of crappy "//customer[@name='" + txtUser.Text + "' and @password='" + txtPassword.Text + "']" you can have shiny clear "//customer[@name=$name and @password=$password]", precompiled and bulletproof!

//Can be done at initialization time 
string xpath = "//customer[@name=$name and @password=$password]";
XPathExpression expr = DynamicContext.Compile(xpath);

//Run-time
DynamicContext ctx = new DynamicContext();
ctx.AddVariable("name", txtUser.Text);
ctx.AddVariable("password",txtPasowrd.Text);
expr.SetContext(ctx);
XPathNodeIterator custData = customers.Select(expr);
And you don't even have to validate user input here - it's all done for free.

Go download Mvp.Xml and start to play with its classes, there are some gems there that can save you hours of coding and make your code faster and safer. And be aware of XPath injection attack and ways to mitigate it in .NET.

Update from Daniel Cazzulino:

Better yet, they can directly use the XPathCache class (1 line of code!!!):
XPathNodeIterator custData = XPathCache.Select(
    "//customer[@name=$name and @password=$password]",
    customersDocument,
    new XPathVariable("name", txtName.Text), 
    new XPathVariable("password", txtPassword.Text));
And all will be equally precompiled, cached and secure :) . There is an overload for each need, and you can do pretty anything with a single line.

January 20, 2005

Turning Comments Off (Temporary!)

Ok, I can't take it anymore, too many spam. I turned comments off temporary untill I upgrade my blog engine. Sorry. ...

Mvp.Xml library v1.0 released

On behalf of the Mvp.Xml Project's team I'm glad to announce release v1.0 of the Mvp.Xml library. ...

Mvp.Xml project is developed by Microsoft MVPs in XML technologies and XML Web Services worldwide. It is aimed at supplementing .NET framework functionality available through the System.Xml namespace and related namespaces such as System.Web.Services.

This release includes Common, XInclude.NET and XPointer.NET modules.

The Common module includes a set of commonly useful classes in Mvp.Xml.Common and Mvp.Xml.Common.XPath namespaces, which extend the .NET functionality available through the System.Xml and related namespaces. They are: XmlSerializerCache, XmlBaseAwareXmlTextReader, XmlFragmentStream, XmlNodeFactory, XmlNodeListFactory, XmlTransformingReader, XmlParsedWriter, XmlSerializerCache, DynamicContext, XPathCache, IndexingXPathNavigator, XPathNavigatorReader, XmlNodeNavigator, SubtreeXPathNavigator, XPathNavigatorIterator, XPathIteratorReader etc. Find more here.

The XInclude.NET module provides an implementation of the W3C XML Inclusions (XInclude) 1.0 Recommendation and the XPointer Framework Recommendation written in C# for the .NET platform. XInclude.NET supports XPointer element() Scheme, XPointer xmlns() Scheme, XPointer xpath1() Scheme and XPointer xpointer() Scheme (XPath subset only). XInclude.NET module currently supports streamable subset of the XInclude, implemented as fast, non-caching, forward-only XIncludingReader class found in the Mvp.Xml.XInclude namespace.
Mvp.Xml XInclude.NET module is a successor of the XInclude.NET library. Find more on the XInclude.NET module home page.

The XPointer.NET module provides an implementation of the XPointer Framework Recommendation written in C# for the .NET platform. XPointer.NET supports XPointer element() Scheme, XPointer xmlns() Scheme, XPointer xpath1() Schemeand XPointer xpointer() Scheme (XPath subset only). XPointer.NET was designed and implemented for the XInclude.NET module, but it can be used on its own.

All Mvp.Xml library classes have been been thoroughly tested under Microsoft .NET 1.0 and 1.1 on Windows 2000 and Windows Server 2003. The XInclude.NET module has been tested against XML Inclusions (XInclude) Version 1.0, W3C Conformance Test Suite (2004-11-03).

You can download Mvp.Xml v1.0 release (binary or with sources) here.

How to get support. There are several ways to get support on using Mvp.Xml project's classes:

  1. Online documentation.
  2. Mailing list: mvp-xml-help (general discussion list for Mvp.Xml users), (online archive).
  3. Tracker: Bugs.
  4. Tracker: Feature Requests.
  5. Browse CVS repository online.
  6. Online API documentation.

The Mvp.Xml library is a subject to the Common Public License.

Any comments, bug reports or feature requests are appreciated. Enjoy!

January 3, 2005

Open-source license woes with using NAnt

We've been planning to use NAnt in our product for running customizable scripts and almost convinced our boss to go for it (IBM's Websphere server where all server automation is implemented via Ant is good argument here). But unfortunately we've found out that Ant and NAnt have different licenses. Ant ...

That's too bad. I mean if Ant is using one open source license and happens to be so immensely successful in Java world, why its .NET version is released under a different and more restrictive open source license? That makes a very little sense to me.

There is something in the NAnt license that looks like an attempt to workaround the issue:

In addition, as a special exception, Gerry Shaw gives permission to link the code of this program with the Microsoft .NET library (or with modified versions of Microsoft .NET library that use the same license as the Microsoft .NET library), and distribute linked combinations including the two. You must obey the GNU General Public License in all respects for all of the code used other than the Microsoft .NET library. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so. If you do not wish to do so, delete this exception statement from your version.

Can somebody clarify that? I mean is it ok to use NAnt and distribute its DLLs as part of a non-opensource product? (We don't plan to modify NAnt sources of course).

January 1, 2005

Certification fun

I was doing annual papers cleaning back in the Hanuka/X-mas days and found a voucher for one discounted Microsoft Certificatied Professional exam, which I completely forgot about and which was about to expire at December 31. So I decided to give it a try. I chose 70-315 exam (Web apps ...

It was cool. Well, actually it was hot, I mean the weather. It was I believe about +30°C that day in Tel-Aviv area and I still didn't get used to such New Year weather. The exam went ok, I passed with a score 905 out of 1000, which is apparently not bad. I know I failed on several freaking DataSet related questions, but the rest were pretty easy.

So now I'm MCP in addition to being MVP, funny acronyms. I'm kinda new to this stuff and have no idea what's a value of that. Actually I'm pretty skeptical about certification in software development, but I don't think I could pass the exam with no hands-on experience in ASP.NET, the questions weren't theoretical at all.

Oh, and happy New Year (or happy New Civil Year as it's called here down in Israel)!