stackoom
  简体   繁体   中英

Why do validations not work correctly when testing my asp.net mvc 2 application via 3rd party tool(s)?

 原文  2012-06-06 20:22:12       c#/ asp.net-mvc/ asp.net-mvc-2/ error-handling/ fiddler

Question

I am working with an ASP.NET MVC 2 application that performs basic CRUD operations against a DB2 table. When testing my application by simply loading it in IE, if I put characters in a numbers field or numbers in a date field or some other form of data that is incompatible with the datatype in my View Model, MVC performs correct error processing on its end and the view is returned with the appropriate Model State Error messages as displayed by the Html.ValidationSummary() mvc helper.

However, when I run tests with programs such as IBM AppScan or forge POST requests with Fiddler2, the application flips out.

I am performing what I believe to be the same sort of test in 2 different ways and am getting various results.

I am also employing the use of MVC'S AntiForgeryToken system, but that doesn't do much good because these programs just scan the request data, find the token, and make sure it's included with their forged POST.

Also note that I am using DataAnnotations on the server side to handle several of these validations and instead of getting the error the annotations ought to return, the page is redirected to the applications error page for uncaught exceptions.

I'm actually quite baffled by all this. What am I missing?

1 answers

solution1
 0 ACCPTED  2012-06-07 13:12:18

LukLed's comment had me do a sanity check on things and he's absolutely right. I'm doing it wrong. When I forged request body details in Fiddler, I did it in a way where I knew the data would be incorrect, but the data would also fall under the correct validations, so the error would be caught. My testing such as submitting characters for a number only field (I had thought this is the sort of thing that bombed the app when AppScan tested it) gave the correct results.

However, LukLed's comment had me really look at the POST data AppScan sent. In every application error, the field was a string on the viewmodel. I allowed the data to pass without strenuous checks on length and a "String data right truncation." SQL ERROR ensued. This also brought to light that I need to do better sanitizing of the data because some of the values AppScan submitted were like:

'../../../../../../../../../../../../bin/id|' for an account number field and

Foobar%0d%0aAppScanHeader:%20AppScanValue%2f1%2e2%2d3%0d%0aSecondAppScanHeader:%20whatever' for a description field.

Special characters such as these ought not be allowed in the form submission.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Best Place to manage shared API calls to 3rd party application inside my asp.net mvc How to add routes to a 3rd party asp.net application, when no access to Application_Start is available how do i authenticate 3rd party user to access my web API asp.net? Unable to use a 3rd party DLL in an ASP.NET application, but works from a Windows Forms .NET application Single Sign On (SSO) via 3rd party ADFS using ASP.NET WebForms ASP.Net Security - Test User is Authenticated via 3rd party request parameters Returning JSON string from 3rd party API in ASP.Net MVC controller ASP.NET MVC 5: How to disable custom error page from 3rd party library How to maintain session after redirection to 3rd party URL in ASP.NET MVC? asp.net deploy 3rd party dlls to bin folder
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM