This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of ".NET Web Service Validation"
Meddington (talk | contribs) (→.NET Web Service Validation) |
(Reverting to last version not containing links to www.textcococri.com) |
||
(9 intermediate revisions by 3 users not shown) | |||
Line 11: | Line 11: | ||
== Downloading == | == Downloading == | ||
− | [http:// | + | [http://canoodle.googlecode.com/files/SoapValidation-0.5.msi SoapValidation-0.5.msi] - Assembly, documentation, samples |
− | [http:// | + | [http://canoodle.googlecode.com/files/SoapValidation-0.5-src.zip SoapValidation-0.5-src.zip] - Source, documentation, samples |
+ | |||
+ | The latest code is now being maintained in a [http://code.google.com/p/canoodle/ Google Code repository]. | ||
== Installation == | == Installation == | ||
Line 19: | Line 21: | ||
Download the installer and run. Easy :) | Download the installer and run. Easy :) | ||
− | == | + | == Reporting Bugs == |
− | + | Report bugs to Michael Eddington @ meddington@phed.org. | |
== Use == | == Use == | ||
Line 27: | Line 29: | ||
Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later. | Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later. | ||
− | == | + | === Methods of Use === |
+ | |||
+ | There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute. | ||
+ | |||
+ | <h3>Attributes</h3> | ||
+ | <p>[<strong>Validation</strong>]</p> | ||
+ | <p>Mark web method for validation against schemas</p> | ||
+ | <p>[<strong>ValidationSchemaFolder</strong>(string relativeFolder)]</p> | ||
+ | |||
+ | <p>Used to add folders that contain schemas to load and cache. This attribute is only valid for classes. The relativeFolder parameter is relative to the vroot.</p> | ||
+ | <ul> | ||
+ | <li><em>relativeFolder</em> -- Folder of schemas to load and cache. Relative to the virtual root (vroot).</li></ul> | ||
+ | <p>[<strong>ValidationSchema</strong>(string schemaFile)]</p> | ||
+ | |||
+ | <p>Used to add schema files to load and cache. This attribute is only valid for classes. The schemaFile parameter is relative to the vroot.</p> | ||
+ | <ul> | ||
+ | <li><em>schemaFile</em> -- Schema file to load. Relative to the virtual root (vroot).</li></ul> | ||
+ | <p>[<strong>Assert</strong>(string rule)]<br>[<strong>Assert</strong>(string rule, string description)]</p> | ||
+ | |||
+ | <p>Used to add an XPath validation expression to a web method. The XPath expression must evaluate to true.</p> | ||
+ | <ul> | ||
+ | <li><em>rule</em> -- XPath validation expression. Must evaluate to true. | ||
+ | <li><em>description</em> -- [optional] Description of assertion rule.</li></ul> | ||
+ | <p>[<strong>AssertNamespaceBinding</strong>(string prefix, string ns)]</p> | ||
+ | |||
+ | <p>Specifies namespace bindings used by assert xpath's.</p> | ||
+ | <ul> | ||
+ | <li><em>prefix</em> -- namespace prefix | ||
+ | <li><em>ns</em> -- namespace to map to</li></ul> | ||
+ | <hr> | ||
+ | |||
+ | <h3>Web.config Changes</h3> | ||
+ | <p>First two extensions must be registered by adding the following inside of the <webServices> node:</p> | ||
+ | |||
+ | <p></p> | ||
+ | <p></p><pre><soapExtensionReflectorTypes> | ||
+ | <add type="SoapValidation.ValidationExtensionReflector, SoapValidation"/> | ||
+ | </soapExtensionReflectorTypes> | ||
+ | <serviceDescriptionFormatExtensionTypes> | ||
+ | <add type="SoapValidation.ValidationFormatExtension, SoapValidation"/> | ||
+ | </serviceDescriptionFormatExtensionTypes> | ||
+ | </pre> | ||
+ | <p>Next, POST and GET protocols must be disabled by adding the following inside of the <webServices> node:</p><pre><protocols> | ||
+ | |||
+ | <remove name="HttpPost" /> | ||
+ | <remove name="HttpGet" /> | ||
+ | </protocols> | ||
+ | </pre> | ||
+ | <p>Finally, if you want to force all web methods to be validated with out using the [Validation] attribute add the following inside of the <webServices> node:</p><pre><soapExtensionTypes> | ||
+ | <add type="SoapValidation.ValidationExtension, SoapValidation" priority="1" group="0" /> | ||
+ | |||
+ | </soapExtensionTypes> | ||
+ | </pre> | ||
+ | <hr> | ||
+ | |||
+ | <h3>Using Validation</h3> | ||
+ | <p>Here is a basic example that will cause validation to be run:</p><pre>[WebService(Namespace="<a href="http://example.org/geometry")]public">http://example.org/geometry")] | ||
+ | public</a> class SimpleTests : System.Web.Services.WebService | ||
+ | { | ||
+ | [WebMethod] | ||
+ | [Validation] | ||
+ | public double CalcArea2(double length, double width) | ||
+ | { | ||
+ | return length * width; | ||
+ | } | ||
+ | }</pre> | ||
+ | <hr> | ||
+ | |||
+ | <h3>Using Assertions</h3> | ||
+ | |||
+ | <p>Here is an example of using assertions to verify business rules in a way schema's fall short.</p><pre>[AssertNamespaceBinding("t", "<a href="http://example.org/geometry")]">http://example.org/geometry")]</a> | ||
+ | [WebService(Namespace="<a href="http://example.org/geometry")]">http://example.org/geometry")]</a> | ||
+ | public class SimpleTests : System.Web.Services.WebService | ||
+ | { | ||
+ | [WebMethod] | ||
+ | [Validation] | ||
+ | [Assert("(//t:length * //t:width) > 100", "Area must be greater than 100")] | ||
+ | [Assert("(//t:length div //t:width) = 2", "Length must be exactly twice width")] | ||
+ | public double CalcArea2(double length, double width) | ||
+ | { | ||
+ | return length * width; | ||
+ | } | ||
+ | } | ||
+ | </pre> | ||
+ | <p> </p> | ||
+ | |||
+ | == Project Contributors == | ||
+ | |||
+ | [http://phed.org Michael Eddington] | ||
+ | |||
+ | == Project Sponsor == | ||
+ | |||
+ | [http://leviathansecurity.com Leviathan Security Group, Inc.] | ||
− | + | [[Category:OWASP .NET Project]] | |
+ | [[Category:OWASP Download]] | ||
+ | [[Category:OWASP Tool]] | ||
+ | [[Category:OWASP Validation Project]] |
Latest revision as of 18:28, 27 May 2009
There was a great article on MSDN a while back (years at this point) that showed the creation of a SOAP extension that would verify incoming requests against a schema, something .NET does not support out of the box (even in 2.0). Additionally there was quasi support for schematron via Assert attributes. This allows for a very powerful input validation of web services.
This is a project to provide continued support for this extension. There have been some updates to the original code, including moving to the .NET Framework v2.0.
The original article is available here.
Performance Penalties
To add in XML schema validation we must parse the soap packet ourselves. This of course will incur an additional performance hit outside of simply turning on validation. Unfortunately there is no method (that I'm aware of) to enable schema validation in .NET currently.
Downloading
SoapValidation-0.5.msi - Assembly, documentation, samples
SoapValidation-0.5-src.zip - Source, documentation, samples
The latest code is now being maintained in a Google Code repository.
Installation
Download the installer and run. Easy :)
Reporting Bugs
Report bugs to Michael Eddington @ [email protected].
Use
Add a reference to SoapValidator.dll from your web service project. Modify your web.config to include the required settings and add attributes to classes and/or methods. See examples later.
Methods of Use
There are two methods for using the validator. First you can force all web methods to be validated using the web.config file. Second you can mark methods using [Validation] attribute.
Attributes
[Validation]
Mark web method for validation against schemas
[ValidationSchemaFolder(string relativeFolder)]
Used to add folders that contain schemas to load and cache. This attribute is only valid for classes. The relativeFolder parameter is relative to the vroot.
- relativeFolder -- Folder of schemas to load and cache. Relative to the virtual root (vroot).
[ValidationSchema(string schemaFile)]
Used to add schema files to load and cache. This attribute is only valid for classes. The schemaFile parameter is relative to the vroot.
- schemaFile -- Schema file to load. Relative to the virtual root (vroot).
[Assert(string rule)]
[Assert(string rule, string description)]
Used to add an XPath validation expression to a web method. The XPath expression must evaluate to true.
- rule -- XPath validation expression. Must evaluate to true.
- description -- [optional] Description of assertion rule.
[AssertNamespaceBinding(string prefix, string ns)]
Specifies namespace bindings used by assert xpath's.
- prefix -- namespace prefix
- ns -- namespace to map to
Web.config Changes
First two extensions must be registered by adding the following inside of the <webServices> node:
<soapExtensionReflectorTypes> <add type="SoapValidation.ValidationExtensionReflector, SoapValidation"/> </soapExtensionReflectorTypes> <serviceDescriptionFormatExtensionTypes> <add type="SoapValidation.ValidationFormatExtension, SoapValidation"/> </serviceDescriptionFormatExtensionTypes>
Next, POST and GET protocols must be disabled by adding the following inside of the <webServices> node:
<protocols> <remove name="HttpPost" /> <remove name="HttpGet" /> </protocols>
Finally, if you want to force all web methods to be validated with out using the [Validation] attribute add the following inside of the <webServices> node:
<soapExtensionTypes> <add type="SoapValidation.ValidationExtension, SoapValidation" priority="1" group="0" /> </soapExtensionTypes>
Using Validation
Here is a basic example that will cause validation to be run:
[WebService(Namespace="<a href="http://example.org/geometry")]public">http://example.org/geometry")] public</a> class SimpleTests : System.Web.Services.WebService { [WebMethod] [Validation] public double CalcArea2(double length, double width) { return length * width; } }
Using Assertions
Here is an example of using assertions to verify business rules in a way schema's fall short.
[AssertNamespaceBinding("t", "<a href="http://example.org/geometry")]">http://example.org/geometry")]</a> [WebService(Namespace="<a href="http://example.org/geometry")]">http://example.org/geometry")]</a> public class SimpleTests : System.Web.Services.WebService { [WebMethod] [Validation] [Assert("(//t:length * //t:width) > 100", "Area must be greater than 100")] [Assert("(//t:length div //t:width) = 2", "Length must be exactly twice width")] public double CalcArea2(double length, double width) { return length * width; } }