Click here to Skip to main content
15,887,683 members
Search within:


Handle validation error message from ASP.NET web services using C#
Please Sign up or sign in to vote.
0.00/5 (No votes)
I have some web services(.asmx) which were developed long back now a IBM tool is crawling our web services to look for any security breaches.

How my services created?

-> There is no validation logic implemented for all the web methods.

-> Web methods are expecting good values so no security check implementation present.

How IBM tool is processing

-> When the tool is injecting some random value to the method parameter it's throwing 500 status code.

-> My work is here to show some generic message(e.g. Error occurred) rather throwing 500.

Approach

-> I have to create a validation class which will contain all the validation logic and will restrict malicious data being entered into the code.

-> I have to go to every method to do the parameter validation and need to send a validation error message if any validation failed occurred.

Any one has any idea how can I validate the methods so that need not go to every method or this is the approach I suppose to follow?

Note: parameter data validation pattern may varies depend upon the requirement, like if we have 2 string parameter but, we can't validate them using one logic they might have different rules to accept data from UI side.

Any idea any suggestion how to achieve?

What I have tried:

I have created a library which can validate all the parameters but we have to call the validation library methods in each web method. Is there any way we can achieve this in globally.
Posted
Updated 14-Mar-17 16:16pm
Add a Solution
Comments
F-ES Sitecore 14-Mar-17 12:25pm    
What's the problem with returning a 500 status code? How else will calling apps know the method has failed?
ZurdoDev 14-Mar-17 12:34pm    
I'm not sure it's as straightforward as you say. The 500 error is happening before your webservice code even executes so putting the validation into those methods won't do anything.
Prafulla Sahu 14-Mar-17 12:53pm    
Thanks for your replies but security team suggesting check for validations if it is failing then show some generic message instead of 500 error. Banging my head how to implement this.

2 solutions

5xx error indicates a major failure on the server side - not a good thing.

On top of what the tool is indicating, a 5xx error will also affect your Search Ranking if the pages are been crawled.

If you have a list of URLs that the tool is providing the above mentioned 5xx errors, you have a reference to where in the code you need to look. IT is then just a matter of loading up the code in your IDE and setting breakpoints at those specific places in your code to see what is actually happening. Once you understand why then you can add code to be more bullet proof and provide more meaningful responses.

Here is a list of Http status codes and their meanings: HTTP Status Codes - restapitutorial[^]
 
Share this answer
 
Posted
That a very standard Vulnerability Scan. Your application need not only hide the http error code 500, but also 404, 403 from the adversary (in other words, always display 200 OK). 404 error happen when the crawler try to navigate to a page that does not exists (http://yourservice.com/ninja.asmx). 403 is went the crawler try to list the content of a folder (ex: http://yourservice.com/images) if you fix the 500 error, the next scan might come back with 403 or 404. Fix all of them at once to avoid back and forth with the security team. By the way beside hiding the error, you might also need to think how to log those errors for administrative review in the future. Could be another red flag if you don't have this control in place.

Ok, for the http errors:

1. make sure the application is redirecting all error to a generic error page, we don't want our nosy adversary to know what was broken
Example:
HTML
<system.web>
    <customErrors mode="On" defaultRedirect="~/Error.html" />
</system.web>

2. Configure custom error pages in IIS, this will tell the IIS to display custom error page. Example, if someone enter url http://yourservice.com/ninja.php, that out of the application jurisdiction, IIS has to decide what to do with it. if the IIS return 404, then the adversary will know the IIS does not support PHP. etc...
You can configure it through the IIS or copy and paste this into the web.config
HTML
<system.webServer>
   <httpErrors errorMode="Custom">
      
      <remove statusCode="500" subStatusCode="-1" />
      <remove statusCode="404" subStatusCode="-1" />
      <remove statusCode="403" subStatusCode="-1" />
      <remove statusCode="401" subStatusCode="-1" />
      <error statusCode="401" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
      <error statusCode="403" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
      <error statusCode="404" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
      <error statusCode="500" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
    </httpErrors>
</system.webServer>

3. turn off debug mode (keep the stack traces, etc... to yourself) if not the IBM tool will trigger another flag.
HTML
<system.web>
    <compilation debug="false" />
</system.web>

4. Test, test, test before letting the other team re-scan/re-run the IBM tool.

Please read...
HTTP Errors <httpErrors> : The Official Microsoft IIS Site[^]

<customErrors> Element[^]

HTTP Error 404 in ASP.NET web application[^]

How To Set Up Custom Error Pages In IIS 7.5 With ASP.NET[^]
 
Share this answer
 
Posted
Updated 14-Mar-17 16:19pm
v2
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
Highlight page validation errors in a modal in ASP.NET
How to render a message when service is down using ASP dot net 4.7.2 web application
Granting permissions to local user account to issue custom command to windows service from ASP.NET web application
Handling MFC error messages
Handling values entered in an ASP.NET core form to a controller
Form is not validating
Handling Prompt messages in Crystal Reports
How To clear The Validation Error Message
When browse ASP.NET core web API from IIS this error happens
Error Handling in ASP.NET

Advertise
Privacy
Cookies
Terms of Use
Last Updated 14 Mar 2017
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900