Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control to
the user instead of throwing an exception. This is a problem is a legitimate
user enters it into a long description box as part of a rare, but possible,
description.
I see the following options:
1 - put a regular expression validator on each file. Have the regexVal only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks that
a sentence does not contain a string as opposed to just a single char.
2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator to
all the textboxes.
Problem - messy to write my own validator.
3 - disable this by setting validateRequest =false, and then do the check on
the server.
Problem - lot of extra work for the server.
4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.
As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.
Thanks,
Mark
6  5691 
I have built a commercial solution to replace the
HttpRequestVali dationException with powerful validators that you can
customize the rules on a field-by-field basis. Visual Input Security
( http://www.peterblum.com/vise/home.aspx) also detects SQL Injection attacks
and other input attacks on fields, querystrings and cookies.
--- Peter Blum www.PeterBlum.com
Email: PL****@PeterBlu m.com
Creator of "Profession al Validation And More" at http://www.peterblum.com/vam/home.aspx
"Mark" <Ma**@discussio ns.microsoft.co m> wrote in message
news:BE******** *************** ***********@mic rosoft.com... Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this
error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control
to
the user instead of throwing an exception. This is a problem is a
legitimate
user enters it into a long description box as part of a rare, but
possible,
description.
I see the following options:
1 - put a regular expression validator on each file. Have the regexVal
only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks
that
a sentence does not contain a string as opposed to just a single char.
2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator
to
all the textboxes.
Problem - messy to write my own validator.
3 - disable this by setting validateRequest =false, and then do the check
on
the server.
Problem - lot of extra work for the server.
4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.
As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.
Thanks,
Mark
9 out of 10 times there should be NO reason what so ever that a user
should be submitting any type of tags.
Remember that <script> is not the only malicious form of injection and
that is why ASP.NET is so strict about this.
What I personally do, and this allows me to do so on a control by
control basis and allows me to control what gets submitted and what
does not get submitted is I use client side JavaScript to do regex
replacements.
For example I will replace all <b> <p><h1> tags to <p> <b><h1>. Now
beacuse I use regex i can take <p onload="alert(' hi')"> and make sure
it gets replaced as a <p> thus eliminating various forms of javascript
injections of that nature. This also allows me to control what gets
submitted to the server and what does not get submitted to the server.
Then on the Server side I have a function that translatges the posted
<p> back to <p> or compatible form for client side postback, once
again using specialized regex to ensure that only elements that i want
get converted. This prevents hack attempts made through a clever POSt
request.
Imho, it would be nice if there was a better way to handle this but
from my experience there are very few solutions that fit one scenario,
and when it comes to injectionj of this nature, one really needs to
approach with a take-no-prisoner attitude.
In my applications I wire to the client side - onBlur event and place a
space between the < and the next character.
"<script>" will become "< script>".
Of course it is a 20,000 user internal ap, so disabling client side script
is not an option. Well, they can do it, but we don't have to support their
problem. The HttpRequestVali dationException will be thrown if they enter
the wrong information.
Then if the situation is there they need to be able to enter this
information, I can do a replace on the .Text propery and remove the space.
bill
"Mark" <Ma**@discussio ns.microsoft.co m> wrote in message
news:BE******** *************** ***********@mic rosoft.com... Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this
error. I understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control
to the user instead of throwing an exception. This is a problem is a
legitimate user enters it into a long description box as part of a rare, but
possible, description.
I see the following options:
1 - put a regular expression validator on each file. Have the regexVal
only pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks
that a sentence does not contain a string as opposed to just a single char.
2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator
to all the textboxes.
Problem - messy to write my own validator.
3 - disable this by setting validateRequest =false, and then do the check
on the server.
Problem - lot of extra work for the server.
4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.
As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.
Thanks,
Mark
once again < script> is not the only form of malicious Injection and
should NOT be the only thing that you are looking for. read my prior
reply for a small window into the different avenues for potential
injection.
What other injections should I be worried about other than '<' followed by a
character? ie <html, <script, <etc.
I have read your previous post and that is very similiar to what I do.
Maybe you should tell me a third time what else to avoid.
bill
"re****@communi ty.nospam" <ma**********@g mail.com> wrote in message
news:11******** **************@ z14g2000cwz.goo glegroups.com.. . once again < script> is not the only form of malicious Injection and
should NOT be the only thing that you are looking for. read my prior
reply for a small window into the different avenues for potential
injection.
Hello,
Thank you all for feedback. Seems like a lot of work for something that
should be so standard, Just had another idea - what if I disabled
HttpRequestVali dationException for the page, and then in the Page Error
event, caught that type of exception and swallowed it?
Although, I'm not sure how to not bubble up the exception (bubbling it up
would eventually go to a error page or display the unfriendly default error
page).
Does anyone know how to swallow the exception at the Page-Error level to
prevent it from bubbling up?
Thanks,
Mark
"Mark" wrote: Hello,
I'm trying to handle HttpRequestVali dationException . If a hacker enters
certain values into a textbox, like "<script>", it will trigger this error. I
understand why .Net has this, but I need a way to gracefully handle it.
Ideally the app would catch it as invalid input, and then return control to
the user instead of throwing an exception. This is a problem is a legitimate
user enters it into a long description box as part of a rare, but possible,
description.
I see the following options:
1 - put a regular expression validator on each file. Have the regexVal only
pass if the textbox does not contain the string "<script>".
Problem is that I can't find how to make such a regex - one that checks that
a sentence does not contain a string as opposed to just a single char.
2 - write my own custom validator that uses JavaScript to check for
occurence of the string "<script>". Then apply this new custom validator to
all the textboxes.
Problem - messy to write my own validator.
3 - disable this by setting validateRequest =false, and then do the check on
the server.
Problem - lot of extra work for the server.
4 - Treat it as a hacker error because there shouldn't be any legitimate
reason to enter those values.
Problem - this throws an exception, which bubbles up and goes to the apps
global error page. If ever there was a legitimate reason, this could annoy
the user.
As almost every ASP.Net app needs to handle this, I would expect that
there's already a standard solution.
Thanks,
Mark This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics | |
by: Michael Ekstrand |
last post by:
In the course of my current project, I've had to deal with connecting
to an HTTP server that isn't fully compliant with the HTTP requirements
for chunked encodings. Rather than sending the end-of-data sentinel
(0-length chunk), it just closes the connection (without even sending
the CRLF at the end of the data).
Because of this, using httplib would always throw nasty errors and not
give me any useful data. Therefore, I've had to modify...
|
by: Shail |
last post by:
I receive this exception while debugging:
System.Web.HttpRequestValidationException
saying that
A potentially dangerous Request.Form value was detected
from the client (qtb="... #include <iostream.h> main
()...").
I want to override set the validateRequest=false for a
specific page, how to do it?
|
by: Jim Butler |
last post by:
We are using a custom guid generator with encryption, the problem is
sometimes pages will blow up when accessing this value through a post or
get. The encryption mechanism will sometimes generate the "bad" characters
to create this error. We would like to continue to leave validateRequest
turned on. What we would really like to be able to do is call the method
manually to catch an error before the user see's it and generate a new guid...
|
by: bondzhou |
last post by:
I have the following code in Page_Error handler subroutine:
Exception ex =Server.GetLastError();
Response.Write(ex.Message);
Response.Write(ex.StackTrace);
Server.ClearError();
But it doesn't work when an HttpRequestValidationException occurs(I input a
html tag into the TextBox control in the page and submit it).I have attach
the Page.Error event to it's handler--the Page_Error subroutine.the same
|
by: Nick Gilbert |
last post by:
Hi
I have a number of pages where it is valid for the user to enter HTML.
On these pages, I have turned off RequestValidation ("ValidateRequest =
false" in the page directive) so that the HttpRequestValidationException
that gets thrown if HTML is included in the Form, doesn't get thrown.
This is fine.
However, on some of those pages, there are fields where I don't want
| | |
by: Mike Dee |
last post by:
Hi - I recently took my site live and I'm getting quite a lot of
HttpRequestValidationException errors "A potentially dangerous Request.Form
value...".
I'm seeing quite a lot of these various various places so I'm quite sure
this is not something malcious but rather a problem with the way the
validation works.
Unfortunately it doesn't show me what the offending input was - is there any
way I can log this so I can see exactly what...
|
by: Liming |
last post by:
Hi,
In a typical 3 tier model (view layer, busines layer and data access
layer) where do you handle your exceptions? do you let it buble up all
the way to the .aspx pages or do you handle it in your business layer
and/or data access layer?
suppose in my data access layer, I provide try and catch, log the
exception and re-throw it back to business layer, then in yoru business
layer, what do you do? throw it back to the code behind or...
|
by: Joannes Vermorel |
last post by:
We have developed an open-source eCommerce sales forecasting add-on in
PHP (see link below) that requires usually more than a few seconds to
complete because the process involves some Web Services
communications.
http://community.lokad.com/PhpSalesForecasting.ashx
Yet, in shared hosting with short PHP execution timeouts, our script
may not terminate (being killed by the web server).
Our concern is not the timeout in itself, it's the...
|
by: lilOlMe |
last post by:
I'm currently working on a project and would like my users to be able to enter anything they would like to enter; however, if they enter angled brackets "<" or ">" an HttpRequestValidationException is thrown.
I like the fact that Microsoft has included the validateRequest feature that screens user input for potentially harmful data that could be used to insert code into my script; however, I'd also like to let my users enter anything they'd...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| | |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
| | |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
