Exception setting Text on RadNumericTextBox in UI for ASP.NET AJAX Input

EET Group

28 posts

Member since:
Aug 2007

Posted 15 Feb 2010 Link to this post

I am using the RadNumericTextBox (RNTB) for integer quantity input in an "add to basket" function several places on my website.

Lately however, I am being targeted by malicious post/injection attacks targeting the RNTB control, causing it to throw the following exception: "Text property cannot be set. Input string was not in a correct format."

The only data retrieval I am doing from RNTB, are using the DbValue property as follows:

    
            short qty; 
        
            if (numQuantity.DbValue != null && Int16.TryParse(numQuantity.DbValue.ToString(), out qty)) 
        
            { 
        
                EET.Web.UserContext.Basket.Add(ItemId, qty); 
        
            }

At no point am I assigning values to the RNTB fields from dynamic code. Only an initial value of 1 is set programmatically on the control: Value="1" MinValue="1" MaxValue="65535"

Attached (at end of post, since .txt attachments are not allowed) is a dump from my exception handler, detailing the malicious form data which are sent to my pages.

I am very interested in handling this exception and ignoring it, as I suspect the current exception my pages are throwing, are only encouraging the perpetrators to continue trying.

    
            Server IP: 10.10.20.112 
        
            Client IP: 200.96.49.4 
        
            Client UA: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) 
        
            Customer:  : INTERNET 
        
            User Id:   :  
        
            Database:  : WebshopFR 
        
            Page: /product.aspx?id=MBLY%2f2GB&path=Kingston-2GB-Mobility-Multi-Kit 
        
            1: Message: Text property cannot be set. Input string was not in a correct format. 
        
            1: Source: Telerik.Web.UI 
        
            1: Stack Trace: 
        
            1:    at Telerik.Web.UI.RadNumericTextBox.RangeTextProperty(String value) 
        
            1:    at Telerik.Web.UI.RadNumericTextBox.set_Text(String value) 
        
            1:    at Telerik.Web.UI.RadInputControl.LoadPostData(String postDataKey, NameValueCollection postCollection) 
        
            1:    at Telerik.Web.UI.RadWebControl.System.Web.UI.IPostBackDataHandler.LoadPostData(String postDataKey, NameValueCollection postCollection) 
        
            1:    at System.Web.UI.Page.ProcessPostData(NameValueCollection postData, Boolean fBeforeLoad) 
        
            1:    at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) 
        
            1: Target Site: System.String RangeTextProperty(System.String) 
        
            Form Data: 
        
            ctl00_ctl00_ScriptManager_HiddenField:                                                        
        
            __EVENTTARGET:                                                                                
        
            __EVENTARGUMENT:                                                                              
        
            __LASTFOCUS:                                                                                  
        
            __SCROLLPOSITIONX:                                                                           0 
        
            __SCROLLPOSITIONY:                                                                           0 
        
            ctl00$ctl00$loginBox$txtUsername:                                                            rglzfkej 
        
            ctl00$ctl00$loginBox$txtPassword:                                                            hivxcw 
        
            ctl00$ctl00$loginBox$chkRemember:                                                            on 
        
            ctl00$ctl00$txtSearch:                                                                       ref/PN ou mots clés ici 
        
            ctl00$ctl00$listLanguages:                                                                   fr-fr 
        
            ctl00_ctl00_PageContents_PageContents_itemDetails_repItem_ctl00_atb_numQuantity_text:        2rand[0,1,1] 
        
            ctl00$ctl00$PageContents$PageContents$itemDetails$repItem$ctl00$atb$numQuantity:             2rand[0,1,1] 
        
            ctl00_ctl00_PageContents_PageContents_itemDetails_repItem_ctl00_atb_numQuantity_ClientState:  
        
            ctl00_ctl00_PageContents_PageContents_tabsDetails_ClientState:                                
        
            ctl00_ctl00_PageContents_PageContents_itemList_tblProducts_ClientState:                       
        
            ctl00_ctl00_PageContents_PageContents_mpDetails_ClientState:                                  
        
            ctl00_ctl00_Menus_tree_ClientState:                                                           
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl01_atb_numQuantity_text:                              61 
        
            ctl00$ctl00$Menus$Right$repMostSold$ctl01$atb$numQuantity:                                   1 
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl01_atb_numQuantity_ClientState:                        
        
            ctl00$ctl00$Menus$Right$repMostSold$ctl01$atb$btnAddToBasket:                                 
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl02_atb_numQuantity_text:                              4 
        
            ctl00$ctl00$Menus$Right$repMostSold$ctl02$atb$numQuantity:                                   6 
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl02_atb_numQuantity_ClientState:                        
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl03_atb_numQuantity_text:                              1 
        
            ctl00$ctl00$Menus$Right$repMostSold$ctl03$atb$numQuantity:                                   8 
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl03_atb_numQuantity_ClientState:                        
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl04_atb_numQuantity_text:                              13 
        
            ctl00$ctl00$Menus$Right$repMostSold$ctl04$atb$numQuantity:                                   85 
        
            ctl00_ctl00_Menus_Right_repMostSold_ctl04_atb_numQuantity_ClientState:

Veli

Admin

2002 posts

Posted 17 Feb 2010 Link to this post

Hi Buffer,

Here is the method that is failing in RadMaskedTextBox.cs:

protected virtual String RangeTextProperty(String value)

{

if ((value != null) && (value != String.Empty))

{

double d;

try

{

d = double.Parse(value, NumberFormatInfo.InvariantInfo);

}

catch (Exception e)

{

throw new InvalidCastException("Text property cannot be set. " + e.Message);

}

d = (MaxValue < d) ? MaxValue : d;

d = (MinValue > d) ? MinValue : d;

return d.ToString(NumberFormatInfo.InvariantInfo);

}

return null;

}

As you can see, if the text value coming from the post data cannot be parsed into double type, the control throws the exception you are getting. As you can note, this method is virtual, so you can make a custom numeric textbox class by inheriting RadNumericTextBox and overriding this method to not thrown an exception, or alternatively, do some other action against possible injection attacks.

All the best,
Veli
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

EET Group

28 posts

Member since:
Aug 2007

Posted 17 Feb 2010 Link to this post

Ok, thank you for your reply. It's nice to know I have an option to stop this.

But I still think it is kindda strange, that I need to manually protect your controls from injection attacks in the internal methods. Are there some way I am using the control wrong? Or do I basically need to overload/customize all the Telerik controls to protect myself from stupid bots and script kiddies??

Since all form values are clearly visible to all, I should think that misuse of this is a general concern. But if there is a more general way to protect myself agains injection attacks on Telerik controls, I would really appreciate a hint how to do this?

Veli

Admin

2002 posts

Posted 17 Feb 2010 Link to this post

Hi Buffer,

There is nothing really to protect. Note the method definition. The code will fail if the string value cannot be parsed into a double. I do not think this poses an injection vulnerability. Anything that cannot be parsed into a double value will cause an exception and there is no way any malicious code can be executed. Do you not agree?

In your original post, you stated that you are interested in handling the exception and ignoring it. I am suggesting an approach just for that, i.e. overriding the method to handle the exception.

Note that the best a custom server control validating user input can make is to disallow invalid input. This is what the exception does - it disallows anything but a valid double value. The most natural consequence of an attempt to assign invalid values is to throw an exception. This is what the control does.

If you need to handle the scenarios, in which a user tries to submit invalid input, to not throw an exception but ignore the value, you will have to implement the logic manually.

Regards,
Veli
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

EET Group

28 posts

Member since:
Aug 2007

Posted 17 Feb 2010 Link to this post

I do not disagree, but I suggest a distinction between the scenario/behavior for the control based on when I am sending data to it, and when somebody just happens to insert post data, which the control "snaps up" without I have anything to say about it.

Let me try to explain my point differently: if I am assigning Control.Text = [invalid value] the control should throw an exception, I agree.
In this case however, I am not assigning anything to the control. The control is auto-assigned/auto-reads values from post data, which I have not explicitly told to it to do i.e. through Control.Text.

Perhaps I'm misunderstanding some fundamentals, but this problem does not happen with the standard ASP.NET controls - none of them are automatically assigned values (and then throwing exceptions) from random form data?

I'm just trying to figure out the best practices here, and as I said - this particular Telerik control behaves very differently than any other of the controls I use (they don't break from these attacks), so therefore I am pursuing a solution with you.

Veli

Admin

2002 posts

Posted 17 Feb 2010 Link to this post

Hello Buffer,

I understand your point. Indeed, the control could suppress any exception it would usually throw and just refuse to set the value or execute the logic. However, if we think about the negative consequences of such behavior, they definitely outweigh the discomfort of an exception. You can imagine if all controls did not throw exceptions, but refused to set values. You would expect to have a value, when this value may not have actually been set. This is the very danger Exceptions are aimed to alleviate.

In our case, the exception is thrown inside a property setter, so the control does not know if a postback value is being set, or one from code.

Sincerely yours,
Veli
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

EET Group

28 posts

Member since:
Aug 2007

Posted 18 Feb 2010 Link to this post

Hi Veli,

Thank you for your answers. However, I don't feel that you have answered my core question:

Why is the RNTB control trying to set the RangeTextProperty based on form input?

I have EnableViewState=false so there is no reason that RNTB should be reading these post values in the first place - especially not for this property?

Veli

Admin

2002 posts

Posted 19 Feb 2010 Link to this post

Hi Buffer,

Note that even with disabled ViewState, RadNumericTextBox should be able to transfer data between the server and the changes. In this respect, I believe you would not expect all your client functionality to stop working if you just disable the control's ViewState. You would still need to be able to enter valid numeric input and expect the control to update its Text and Value properties accordingly on postback.

The value of the Text property is read from the client state of the RadNumericTextBox and is not solely ViewState-dependent. It is parsed in the RangeTextProperty() method. Does this answer your question?

Regards,
Veli
the Telerik team

Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items.

EET Group

28 posts

Member since:
Aug 2007

Posted 19 Feb 2010 Link to this post

Yes, thank you. I now understand what is happening, and how to avoid it.

However, I still feel that this is somehow a design problem. If I make a page that expects querystring parameters, it's generally pretty bad design if my page breaks, if a bad string is entered in that querystring. In the same way I can't help but feel, that it's bad design, that the control breaks because it receives bad form data.

But I understand your points, and this is not a suggestion to not use exceptions where appropriate. You know the design internals of your controls better than me, and if you tell me that it is best practice for this to happen, then I just need to work around this.

Thanks for your answers.

gert

3 posts

Member since:
May 2011

Posted 30 May 2011 Link to this post

Hi,

how did you manage to stop this exception from happening on postback data? I have lots of these exceptions I would like to handle.

Regards
Gert