473,854 Members | 1,769 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Handle HttpRequestVali dationException gracefully

Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control to
the user instead of throwing an exception. This is a problem is a legitimate
user enters it into a long description box as part of a rare, but possible,
description.

I see the following options:
1 - put a regular expression validator on each file. Have the regexVal only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks that
a sentence does not contain a string as opposed to just a single char.

2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator to
all the textboxes.
Problem - messy to write my own validator.

3 - disable this by setting validateRequest =false, and then do the check on
the server.
Problem - lot of extra work for the server.

4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.

As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.

Thanks,
Mark
Nov 19 '05 #1
6 5698
I have built a commercial solution to replace the
HttpRequestVali dationException with powerful validators that you can
customize the rules on a field-by-field basis. Visual Input Security
(http://www.peterblum.com/vise/home.aspx) also detects SQL Injection attacks
and other input attacks on fields, querystrings and cookies.

--- Peter Blum
www.PeterBlum.com
Email: PL****@PeterBlu m.com
Creator of "Profession al Validation And More" at
http://www.peterblum.com/vam/home.aspx

"Mark" <Ma**@discussio ns.microsoft.co m> wrote in message
news:BE******** *************** ***********@mic rosoft.com...
Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this
error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control
to
the user instead of throwing an exception. This is a problem is a
legitimate
user enters it into a long description box as part of a rare, but
possible,
description.

I see the following options:
1 - put a regular expression validator on each file. Have the regexVal
only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks
that
a sentence does not contain a string as opposed to just a single char.

2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator
to
all the textboxes.
Problem - messy to write my own validator.

3 - disable this by setting validateRequest =false, and then do the check
on
the server.
Problem - lot of extra work for the server.

4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.

As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.

Thanks,
Mark

Nov 19 '05 #2
9 out of 10 times there should be NO reason what so ever that a user
should be submitting any type of tags.
Remember that <script> is not the only malicious form of injection and
that is why ASP.NET is so strict about this.

What I personally do, and this allows me to do so on a control by
control basis and allows me to control what gets submitted and what
does not get submitted is I use client side JavaScript to do regex
replacements.

For example I will replace all <b> <p><h1> tags to <p> <b><h1>. Now
beacuse I use regex i can take <p onload="alert(' hi')"> and make sure
it gets replaced as a <p> thus eliminating various forms of javascript
injections of that nature. This also allows me to control what gets
submitted to the server and what does not get submitted to the server.

Then on the Server side I have a function that translatges the posted
&lt;p&gt; back to <p> or compatible form for client side postback, once
again using specialized regex to ensure that only elements that i want
get converted. This prevents hack attempts made through a clever POSt
request.

Imho, it would be nice if there was a better way to handle this but
from my experience there are very few solutions that fit one scenario,
and when it comes to injectionj of this nature, one really needs to
approach with a take-no-prisoner attitude.

Nov 19 '05 #3
In my applications I wire to the client side - onBlur event and place a
space between the < and the next character.

"<script>" will become "< script>".

Of course it is a 20,000 user internal ap, so disabling client side script
is not an option. Well, they can do it, but we don't have to support their
problem. The HttpRequestVali dationException will be thrown if they enter
the wrong information.

Then if the situation is there they need to be able to enter this
information, I can do a replace on the .Text propery and remove the space.

bill

"Mark" <Ma**@discussio ns.microsoft.co m> wrote in message
news:BE******** *************** ***********@mic rosoft.com...
Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this error. I understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control to the user instead of throwing an exception. This is a problem is a legitimate user enters it into a long description box as part of a rare, but possible, description.

I see the following options:
1 - put a regular expression validator on each file. Have the regexVal only pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks that a sentence does not contain a string as opposed to just a single char.

2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator to all the textboxes.
Problem - messy to write my own validator.

3 - disable this by setting validateRequest =false, and then do the check on the server.
Problem - lot of extra work for the server.

4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.

As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.

Thanks,
Mark

Nov 19 '05 #4
once again < script> is not the only form of malicious Injection and
should NOT be the only thing that you are looking for. read my prior
reply for a small window into the different avenues for potential
injection.

Nov 19 '05 #5
What other injections should I be worried about other than '<' followed by a
character? ie <html, <script, <etc.

I have read your previous post and that is very similiar to what I do.
Maybe you should tell me a third time what else to avoid.

bill

"re****@communi ty.nospam" <ma**********@g mail.com> wrote in message
news:11******** **************@ z14g2000cwz.goo glegroups.com.. .
once again < script> is not the only form of malicious Injection and
should NOT be the only thing that you are looking for. read my prior
reply for a small window into the different avenues for potential
injection.

Nov 19 '05 #6
Hello,
Thank you all for feedback. Seems like a lot of work for something that
should be so standard, Just had another idea - what if I disabled
HttpRequestVali dationException for the page, and then in the Page Error
event, caught that type of exception and swallowed it?

Although, I'm not sure how to not bubble up the exception (bubbling it up
would eventually go to a error page or display the unfriendly default error
page).

Does anyone know how to swallow the exception at the Page-Error level to
prevent it from bubbling up?

Thanks,
Mark
"Mark" wrote:
Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control to
the user instead of throwing an exception. This is a problem is a legitimate
user enters it into a long description box as part of a rare, but possible,
description.

I see the following options:
1 - put a regular expression validator on each file. Have the regexVal only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks that
a sentence does not contain a string as opposed to just a single char.

2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator to
all the textboxes.
Problem - messy to write my own validator.

3 - disable this by setting validateRequest =false, and then do the check on
the server.
Problem - lot of extra work for the server.

4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.

As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.

Thanks,
Mark

Nov 19 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
1091
by: Michael Ekstrand | last post by:
In the course of my current project, I've had to deal with connecting to an HTTP server that isn't fully compliant with the HTTP requirements for chunked encodings. Rather than sending the end-of-data sentinel (0-length chunk), it just closes the connection (without even sending the CRLF at the end of the data). Because of this, using httplib would always throw nasty errors and not give me any useful data. Therefore, I've had to modify...
1
3902
by: Shail | last post by:
I receive this exception while debugging: System.Web.HttpRequestValidationException saying that A potentially dangerous Request.Form value was detected from the client (qtb="... #include <iostream.h> main ()..."). I want to override set the validateRequest=false for a specific page, how to do it?
5
2912
by: Jim Butler | last post by:
We are using a custom guid generator with encryption, the problem is sometimes pages will blow up when accessing this value through a post or get. The encryption mechanism will sometimes generate the "bad" characters to create this error. We would like to continue to leave validateRequest turned on. What we would really like to be able to do is call the method manually to catch an error before the user see's it and generate a new guid...
1
2258
by: bondzhou | last post by:
I have the following code in Page_Error handler subroutine: Exception ex =Server.GetLastError(); Response.Write(ex.Message); Response.Write(ex.StackTrace); Server.ClearError(); But it doesn't work when an HttpRequestValidationException occurs(I input a html tag into the TextBox control in the page and submit it).I have attach the Page.Error event to it's handler--the Page_Error subroutine.the same
2
2200
by: Nick Gilbert | last post by:
Hi I have a number of pages where it is valid for the user to enter HTML. On these pages, I have turned off RequestValidation ("ValidateRequest = false" in the page directive) so that the HttpRequestValidationException that gets thrown if HTML is included in the Form, doesn't get thrown. This is fine. However, on some of those pages, there are fields where I don't want
4
2047
by: Mike Dee | last post by:
Hi - I recently took my site live and I'm getting quite a lot of HttpRequestValidationException errors "A potentially dangerous Request.Form value...". I'm seeing quite a lot of these various various places so I'm quite sure this is not something malcious but rather a problem with the way the validation works. Unfortunately it doesn't show me what the offending input was - is there any way I can log this so I can see exactly what...
6
2056
by: Liming | last post by:
Hi, In a typical 3 tier model (view layer, busines layer and data access layer) where do you handle your exceptions? do you let it buble up all the way to the .aspx pages or do you handle it in your business layer and/or data access layer? suppose in my data access layer, I provide try and catch, log the exception and re-throw it back to business layer, then in yoru business layer, what do you do? throw it back to the code behind or...
2
19208
by: Joannes Vermorel | last post by:
We have developed an open-source eCommerce sales forecasting add-on in PHP (see link below) that requires usually more than a few seconds to complete because the process involves some Web Services communications. http://community.lokad.com/PhpSalesForecasting.ashx Yet, in shared hosting with short PHP execution timeouts, our script may not terminate (being killed by the web server). Our concern is not the timeout in itself, it's the...
5
5056
by: lilOlMe | last post by:
I'm currently working on a project and would like my users to be able to enter anything they would like to enter; however, if they enter angled brackets "<" or ">" an HttpRequestValidationException is thrown. I like the fact that Microsoft has included the validateRequest feature that screens user input for potentially harmful data that could be used to insert code into my script; however, I'd also like to let my users enter anything they'd...
0
9750
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
11024
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
10672
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10740
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
7909
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7076
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5937
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
4550
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
3
3182
bsmnconsultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.