Catch the security flaw #5

A lot of web applications use RegularExpressionValidators for performing input validation [1]. Sometimes these validators are not implemented properly, which can lead to potential flaws. See if you can catch the flaw here:-

Code for Default.aspx:-

    1: <%@ Page Language="C#" ValidateRequest="false" AutoEventWireup="true" CodeFile="Default2.aspx.cs" Inherits="Default2" %>
    2:  <html xmlns="https://www.w3.org/1999/xhtml" >
    3: <body>
    4:     <form id="form1" runat="server">
    5:  
    6:     <asp:TextBox ID="txtName" runat="server"></asp:TextBox>
    7:     <asp:Button ID="btnSubmit" runat="server" Text="Submit" OnClick="btnSubmit_Click" />
    8:     <asp:RegularExpressionValidator ID="regexpName" runat="server"     
    9:                                     ErrorMessage="This expression does not validate." 
   10:                                     ControlToValidate="txtName"     
   11:                                     ValidationExpression="^[a-zA-Z'.\s]{1,40}$" />
   12:  
   13:     </form>
   14: </body>
   15: </html>

Code behind Default.aspx.cs file:-

    1: public partial class Default2 : System.Web.UI.Page
    2: {
    3:     protected void Page_Load(object sender, EventArgs e)
    4:     {
    5:  
    6:     }
    7:     protected void btnSubmit_Click(object sender, EventArgs e)
    8:     {
    9:         Response.Write("Welcome " + Request["txtName"]);
   10:     }
   11: }

 

Reference:-

[1] How To: Use Regular Expressions to Constrain Input in ASP.NET

https://msdn.microsoft.com/en-us/library/ms998267.aspx