There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for [http://www.schematron.com/ schematron] via Assert attributes. This allows for a very powerful input validation of web services.

This is a project to provide continued support for this extension. There have been some updates to the original code, including moving to the .NET Framework v2.0.

The original article is available [http://msdn.microsoft.com/msdnmag/issues/03/07/XMLSchemaValidation/ here].

== Performance Penalties ==

To add in XML schema validation we must parse the soap packet ourselves. This of course will incur an additional performance hit outside of simply turning on validation. Unfortunately there is no method (that I'm aware of) to enable schema validation in .NET currently.

== Downloading ==

[http://phed.org/files/SoapValidation-0.5.msi SoapValidation-0.5.msi] - Assembly, documentation, samples

[http://phed.org/files/SoapValidation-0.5-src.zip SoapValidation-0.5-src.zip] - Source, documentation, samples

== Installation ==

Download the installer and run. Easy :)

== Reporting Bugs ==

Report bugs to Michael Eddington @ meddington@phed.org.

== Use ==

Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later.

=== Methods of Use ===

There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute.

<h3>Attributes</h3>
[Validation]
Mark web method for validation against schemas
[ValidationSchemaFolder(string relativeFolder)]

Used to add folders that contain schemas to load and cache.  This attribute is only valid for classes.  The relativeFolder parameter is relative to the vroot.
<ul>
<li>relativeFolder -- Folder of schemas to load and cache.  Relative to the virtual root (vroot).</li></ul>
[ValidationSchema(string schemaFile)]

Used to add schema files to load and cache.  This attribute is only valid for classes.  The schemaFile parameter is relative to the vroot.
<ul>
<li>schemaFile -- Schema file to load.  Relative to the virtual root (vroot).</li></ul>
[Assert(string rule)] [Assert(string rule, string description)]

Used to add an XPath validation expression to a web method.  The XPath expression must evaluate to true.
<ul>
<li>rule -- XPath validation expression.  Must evaluate to true.
<li>description -- [optional] Description of assertion rule.</li></ul>
[AssertNamespaceBinding(string prefix, string ns)]

Specifies namespace bindings used by assert xpath's.
<ul>
<li>prefix -- namespace prefix
<li>ns -- namespace to map to</li></ul>
<hr>

<h3>Web.config Changes</h3>
First two extensions must be registered by adding the following inside of the <webServices> node:


<pre><soapExtensionReflectorTypes>
<add type="SoapValidation.ValidationExtensionReflector, SoapValidation"/>
</soapExtensionReflectorTypes>
<serviceDescriptionFormatExtensionTypes>
<add type="SoapValidation.ValidationFormatExtension, SoapValidation"/>
</serviceDescriptionFormatExtensionTypes>
</pre>
Next, POST and GET protocols must be disabled by adding the following inside of the <webServices> node:<pre><protocols>

<remove name="HttpPost" />
<remove name="HttpGet" />
</protocols>
</pre>
Finally, if you want to force all web methods to be validated with out using the [Validation] attribute add the following inside of the <webServices> node:<pre><soapExtensionTypes>
<add type="SoapValidation.ValidationExtension, SoapValidation" priority="1" group="0" />

</soapExtensionTypes>
</pre>
<hr>

<h3>Using Validation</h3>
Here is a basic example that will cause validation to be run:<pre>[WebService(Namespace="<a href="http://example.org/geometry")]public">http://example.org/geometry")]
public</a> class SimpleTests : System.Web.Services.WebService
{
[WebMethod]
[Validation]
public double CalcArea2(double length, double width)
{
return length * width;
}
}</pre>
<hr>

<h3>Using Assertions</h3>

Here is an example of using assertions to verify business rules in a way schema's fall short.<pre>[AssertNamespaceBinding("t", "<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
[WebService(Namespace="<a href="http://example.org/geometry")]">http://example.org/geometry")]</a>
public class SimpleTests : System.Web.Services.WebService
{
[WebMethod]
[Validation]
[Assert("(//t:length * //t:width) > 100", "Area must be greater than 100")]
[Assert("(//t:length div //t:width) = 2", "Length must be exactly twice width")]
public double CalcArea2(double length, double width)
{
return length * width;
}
}
</pre>
 

[[Category:OWASP .NET Project]]

.NET Web Service Validation

2006-11-20T03:57:37Z

Meddington:

.NET Web Service Validation

2006-11-20T03:18:31Z

Meddington:

2006-11-11T00:48:24Z

Meddington: /* Download */

== Overview ==

Web applications face any number of threats; one of them is cross-site scripting and related injection attacks. 90% of all web applications contain cross-site scripting attacks because they are easy to introduce, and the proper tools are not always available to prevent them. There is no good single library that provides all the functions required by developers to incorporate a fix into there code that will stand up to the test of time and continual research in the field. The Reform library attempts to provide a solid set of functions for encoding output for the most common context targets in web applications (e.g. HTML, XML, JavaScript, etc). The library also takes a conservative view of what are allowable characters based on historical vulnerabilities, and current injection techniques.

== Goals ==

* Provide tools needed by developers to mitigate canonicalization issues in web technologies.
* Provide a solution that will not need to be patched (no security patches since release in 2004, private implementations in use since 2002).

== Download ==

The most recent released version of Reform can be downloaded from [http://sourceforge.net/project/showfiles.php?group_id=149309].

The latest code is also now being maintained in a Google Code repository [http://code.google.com/p/reform/]

== Features ==

* Unicode support
* Context specific functions (HTML, XML, JavaScript, etc)
* Many supported languages
** Java
** .NET v1/v2
** PHP
** Python
** Perl
** JavaScript
* Support for AJAX
* Conservative approach
* Solves all current XSS techniques

== Future Development ==

* Ruby support
* Java framework support
* LDAP encoding functions
* Add documentation on resolving XPath issues

== News ==

'''OWASP Encoding Project Adopts Reform - 10:01, 8 November 2006 (EST)'''

OWASP is adopting the Reform Encoding Library as an OWASP project. We are currently in the process of moving over the source, downloads, and documentation.

'''OWASP Encoding Project Created! - 10:01, 8 November 2006 (EST)'''

The Open Web Application Security Project is proud to announce the OWASP Encoding Project!

== Feedback and Participation: ==

We hope you find the OWASP Encoding Project useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Encoding Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-encoding subscription page.]

== Project Contributors ==

Michael Eddington

== Project Sponsor ==

[http://leviathansecurity.com Leviathan Security Group, Inc.]

[[Category:OWASP Project]]

Category:OWASP Encoding Project

2006-11-09T02:02:19Z

Meddington: /* Download */

== Overview ==

Web applications face any number of threats; one of them is cross-site scripting and related injection attacks. 90% of all web applications contain cross-site scripting attacks because they are easy to introduce, and the proper tools are not always available to prevent them. There is no good single library that provides all the functions required by developers to incorporate a fix into there code that will stand up to the test of time and continual research in the field. The Reform library attempts to provide a solid set of functions for encoding output for the most common context targets in web applications (e.g. HTML, XML, JavaScript, etc). The library also takes a conservative view of what are allowable characters based on historical vulnerabilities, and current injection techniques.

== Goals ==

* Provide tools needed by developers to mitigate canonicalization issues in web technologies.
* Provide a solution that will not need to be patched (no security patches since release in 2004, private implementations in use since 2002).

== Download ==

The most recent released version of Reform can be downloaded from [http://sourceforge.net/project/showfiles.php?group_id=149309].

The latest code is also now being maintained in a Google Code repository [http://code.google.com/p/reform/] (well, we are moving things over. check out sf.net for now)

== Features ==

* Unicode support
* Context specific functions (HTML, XML, JavaScript, etc)
* Many supported languages
** Java
** .NET v1/v2
** PHP
** Python
** Perl
** JavaScript
* Support for AJAX
* Conservative approach
* Solves all current XSS techniques

== Future Development ==

* Ruby support
* Java framework support
* LDAP encoding functions
* Add documentation on resolving XPath issues

== News ==

'''OWASP Encoding Project Adopts Reform - 10:01, 8 November 2006 (EST)'''

OWASP is adopting the Reform Encoding Library as an OWASP project. We are currently in the process of moving over the source, downloads, and documentation.

'''OWASP Encoding Project Created! - 10:01, 8 November 2006 (EST)'''

The Open Web Application Security Project is proud to announce the OWASP Encoding Project!

== Feedback and Participation: ==

We hope you find the OWASP Encoding Project useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Encoding Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-encoding subscription page.]

== Project Contributors ==

Michael Eddington

== Project Sponsor ==

[http://leviathansecurity.com Leviathan Security Group, Inc.]

[[Category:OWASP Project]]

Category:OWASP Encoding Project

2006-11-09T01:58:58Z

Meddington:

== Overview ==

Web applications face any number of threats; one of them is cross-site scripting and related injection attacks. 90% of all web applications contain cross-site scripting attacks because they are easy to introduce, and the proper tools are not always available to prevent them. There is no good single library that provides all the functions required by developers to incorporate a fix into there code that will stand up to the test of time and continual research in the field. The Reform library attempts to provide a solid set of functions for encoding output for the most common context targets in web applications (e.g. HTML, XML, JavaScript, etc). The library also takes a conservative view of what are allowable characters based on historical vulnerabilities, and current injection techniques.

== Goals ==

* Provide tools needed by developers to mitigate canonicalization issues in web technologies.
* Provide a solution that will not need to be patched (no security patches since release in 2004, private implementations in use since 2002).

== Download ==

The most recent released version of Reform can be downloaded from [http://sourceforge.net/project/showfiles.php?group_id=149309].

The latest code is also now being maintained in a Google Code repository [http://code.google.com/p/reform/]

== Features ==

* Unicode support
* Context specific functions (HTML, XML, JavaScript, etc)
* Many supported languages
** Java
** .NET v1/v2
** PHP
** Python
** Perl
** JavaScript
* Support for AJAX
* Conservative approach
* Solves all current XSS techniques

== Future Development ==

* Ruby support
* Java framework support
* LDAP encoding functions
* Add documentation on resolving XPath issues

== News ==

'''OWASP Encoding Project Adopts Reform - 10:01, 8 November 2006 (EST)'''

OWASP is adopting the Reform Encoding Library as an OWASP project. We are currently in the process of moving over the source, downloads, and documentation.

'''OWASP Encoding Project Created! - 10:01, 8 November 2006 (EST)'''

The Open Web Application Security Project is proud to announce the OWASP Encoding Project!

== Feedback and Participation: ==

We hope you find the OWASP Encoding Project useful. Please contribute to the Project by volunteering for one of the tasks, sending your comments, questions, and suggestions to owasp@owasp.org. To join the OWASP Encoding Project mailing list or view the archives, please visit the [http://lists.owasp.org/mailman/listinfo/owasp-encoding subscription page.]

== Project Contributors ==

Michael Eddington

== Project Sponsor ==

[http://leviathansecurity.com Leviathan Security Group, Inc.]

[[Category:OWASP Project]]