Prevent unwanted parameter values for my GET API calls for improved security

Question

I run a website using ASP.NET. My API (GET request) URI is formatted like so: https://www.example.com/api/results/?country=&city=&value=

However, when runing a vulnerability test on my site it came up with errors around this, basically adding parameter values:

• Possible Sensitive Directories/Files Detected, e.g. for URL https://www.example.com/api/results/?country=&city=admin/access_log&value=

• Content Injection https://www.example.com/api/results/%20Site%20is%20moved%20to%20wastest.indusface.com% 20kindly%20visit%20wastest.indusface.com.%20?country=undefined&city=undefined&value=

• Iframe Injection, e.g. for URL https://www.example.com/api/results/?country=%3Ciframe%20src%3D%22https%3A%2F%2Fwas.indusfac e.com%2F2085%22%20class%3D'haikumsg'%3E%3C%2Fiframe%3E&city=&value=

So basically, I think it all boils down to the same issue: an issue with unwanted parameter values for my API, but I'm not sure how to prevent this. I have many parameters and I could check each input value manually but that seems like an uphill battle and would also impact application performance.

What can I do to resolve this "parameter stuffing"?

Here's my API definition:

Iexample.vb

       <OperationContract()>
        <Web.WebInvoke(Method:="GET", ResponseFormat:=Web.WebMessageFormat.Json, BodyStyle:=Web.WebMessageBodyStyle.Bare,
    UriTemplate:="results/?country={country}&province={province}&city={city}&value={value}")>

example.svc.vb

    Public Function results(ByVal country As String, ByVal province As String,
        ByVal city As String, ByVal value As String) As Stream Implements Iexample.results

Answer 1

A pattern you could apply is to implement validation functions, like

Protected Function IsValidFoobarParams(ByVal ParamArray args() As String) As Boolean
    For Each param As String In args
        If Not IsValidFoobarParam(param) Then
            Return False
        End If
    Next
    Return True
End Function

You will need to implement IsValidFoobarParam yourself to have a validation for the parameter, returning a boolean. You can call the function above like

    Dim IsValid As Boolean = IsValidFoobarParam(param1, param2, param3)

If you need some other validation as well, let's call it IsValidLoremIpsumParam, then you can do something like this

    Dim IsValid As Boolean = IsValidFoobarParam(param1, param2, param3) AndAlso IsValidLoremIpsum(param1, param3)

In the example above I have ommitted param2 from the second validation on purpose, to illustrate that if you use ParamArray, then you can pass as many parameters as you like, 0 or more.

One last issue is remaining. You maybe have multiple types, in which case you may want to have separate validations for separate types, or type conversions. But, the basic pattern is to:

• implement a validation function for each validation type that takes a single value and returns Boolean
• implement a validation function for each validation type that takes an array of parameters, loops it, calls the corresponding singular validation function for each of them, Return False if any of them fails to be valid and Return True at the end of the loop
• call the function that loops a parameter array from where you are to validate, so, you implement your validation types once and reuse them at all your API functions as you please by simply calling the functions