Chapter 4. Using Query Strings, Form Fields, Events, and Browser Information
Input arrives into your Web application from various sources. Chapter 3 discussed how you should treat input, how input should be considered untrustworthy by default, how you can validate it, and how you can output it safely. This chapter introduces some of ways input can arrive, the vulnerabilities each of these vectors are susceptible to, and how you can mitigate against them.
In this chapter, you will learn about the following:
How to pass input via query strings
How to use hidden form fields
How forms can be hijacked
How the ASP.NET event model works
How to avoid common mistakes with browser information
USING THE RIGHT INPUT TYPE
HTTP allows input into your application in the following four ways:
The query string
Form fields
HTTP headers
Cookies
The base class for ASP.NET pages, Page
, contains a property, Request
of type HttpRequest
. When your Page
class is created by ASP.NET, you have access to the Request
property. It is initialized and contains the various inputs sent as part of the page request, as well as other information provided by the ASP.NET run-time (such as the identity of the user, whether the page has been requested over SSL, and so on). The Page
class also contains a Response
property that allows you to manipulate the response being sent when your page has finished processing.
QUERY STRINGS
A query string is the part of a URL that contains data to be passed to a Web application as part of a request. ...
Get Beginning ASP.NET Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.