Validator.NET

User input remains the primary cause of vulnerabilities in most of the web applications. The process of screening the user entered input for malicious content is known as input validation. Input validation is a proactive step taken to avoid falling prey to commonly known vulnerabilities. Although the need for performing good input validation is fairly obvious to everyone in the field, not many people do a good job at the same.

The Validator.NET application was designed to enable developers to programmatically determine user input locations that could be potentially exploited by hackers and provides proactive steps to build data validation routines which are loaded into a protection module. The tool helps eliminate common vulnerabilities such as SQL Injection and Cross-Site Scripting.

The need for input validation originates from the premonition that all input is evil. Hackers and security professionals have managed to compromise the web applications time and again because the developers followed no strategy to defend their web applications. In a race to check for malicious content the developers always were left behind because the hackers managed to encode their malicious content in innocuous looking input.

Writing code to check for every input field was often taxing, inefficient, incomplete and not through. For the same reasons Microsoft provided extensive validation framework in ASP.NET. The aim was to help developers perform data validation routines faster and in a more efficient manner. Even with the presence of these validators, data validations techniques are no where near acceptable level.

Lack of security awareness among developers is part of the reason for insufficient data validation techniques in most of the existing applications. The result is that we have many production environments which do not have acceptable data validation mechanisms. The cost of making code fixes in these applications is often very high and hence is not the most effective solution.

Buffer overflows, SQL inject, Cross-Site Scripting and Denial of service are just a few of the most common vulnerabilities caused by bad input validation techniques.

If proper data validations techniques are not implemented then there always exists the possibility of falling prey to one or more of the above mentioned vulnerabilities.

The need was to develop a cost effective input validation solution for the large number .NET of web application that do not have acceptable validation routines. The solution was required to have minimal code changes and should be completely configurable to tailor the needs of every web application. Considering the problems at hand, Foundstone devised the Validator.NET tool.