If data you post back contains the following string
on<<any sequence of characters>>=
example: on2q3asdf=
The page will throw the following exception:
A potentially dangerous Request.Form value was detected from the client
This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
Thanks. 6 1778
You can (and always could) simply disable the validateRequest in 1.1... http://www.aspnetpro.com/NewsletterA...200403dk_l.asp
Karl
--
MY ASP.Net tutorials http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying) http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"STech" <st***@nospam.n ospam> wrote in message
news:DD******** *************** ***********@mic rosoft.com... If data you post back contains the following string
on<<any sequence of characters>>=
example: on2q3asdf=
The page will throw the following exception:
A potentially dangerous Request.Form value was detected from the client
This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
Thanks.
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateReques t " in @Page directive to disable such
validation on individual page.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.
Thanks.
"Steven Cheng[MSFT]" wrote: Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation feature(by default enabled) which will check the comming request data to detect whether there are dangerous script or invalid markup code in it. For example, scripts , html tags are not allowed in post data. And the one you mentioned is also treated as those scripts. If you want to disable this, we can use the "ValidateReques t " in @Page directive to disable such validation on individual page.
Thanks,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
STech,
The issue would be DHTML insertion attacks.
Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format(" <img src='{0}' alt='user avatar'></img>", ImageTextBox.Te xt)
A malicious user could set ImageTextBox.Te xt to:
"http://www.somesite.co m/images/img.jpg'
onload='javascr ipt:do_somethin g_nasty()'"
When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.
Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).
"STech" wrote: Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially dangerous? Again, it is the sequence that is causing the exception and *not* the '=' character.
Thanks.
"Steven Cheng[MSFT]" wrote:
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation feature(by default enabled) which will check the comming request data to detect whether there are dangerous script or invalid markup code in it. For example, scripts , html tags are not allowed in post data. And the one you mentioned is also treated as those scripts. If you want to disable this, we can use the "ValidateReques t " in @Page directive to disable such validation on individual page.
Thanks,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
Thanks for Dave's detail explanation.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Dave,
Thanks for the explanation; so the regex is catching onmouseover=
The regex in 2.0 must be smarter because it does not throw an exception for
on=
Thanks for the explanation.
"Dave Bacher" wrote: STech,
The issue would be DHTML insertion attacks.
Lets say that I have forum software, and I'm prompting the user for the URL of a forum avatar, which I then load into the src attribute of an image element using string.format, like this: String.Format(" <img src='{0}' alt='user avatar'></img>", ImageTextBox.Te xt)
A malicious user could set ImageTextBox.Te xt to: "http://www.somesite.co m/images/img.jpg' onload='javascr ipt:do_somethin g_nasty()'"
When the forum image loaded, arbitrary JavaScript would run on the client. The client then could proceed to do something nasty.
Since the events available are browser-specific (IE using one set, standards compliant browsers using a different set), and may change in the future, ASP.NET probably uses a regular expression to protect you from this (which is how it should do it, since if IE 8 supports more events, you don't want existing pages to become vulnerable). "STech" wrote:
Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially dangerous? Again, it is the sequence that is causing the exception and *not* the '=' character.
Thanks.
"Steven Cheng[MSFT]" wrote:
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation feature(by default enabled) which will check the comming request data to detect whether there are dangerous script or invalid markup code in it. For example, scripts , html tags are not allowed in post data. And the one you mentioned is also treated as those scripts. If you want to disable this, we can use the "ValidateReques t " in @Page directive to disable such validation on individual page.
Thanks,
Steven Cheng Microsoft Online Support
Get Secure! www.microsoft.com/security (This posting is provided "AS IS", with no warranties, and confers no rights.)
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Anil Kripalani |
last post by:
When a user of our ASP.NET 1.1 application submits a form with the phrase
'manuscript:' in a text field, ASP returns the error 'A potentially
dangerous Request.Form value was detected from the client
(182:BodyField="manuscript: hello").' Why is this seemingly innocent text
triggering this error?
Thanks,
Krip
|
by: John Morgan |
last post by:
I am attempting to use a try/catch block to trap a querystring which
is caught by ValidateRequest="true" in the @page directive
A simple example of the blockthat does not work is
Try
routeID = Request.QueryString("routeID")
Catch
response.Write("a dangerous query string has been entered")
End Try
|
by: veenakj |
last post by:
Hi
Code snippet
--------------
strErrMsg = "Could not find a part of the path
\"C:\\Temp\\data\\Test.xml\"." }
Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));
---------------
|
by: Steve Richter |
last post by:
getting this "potentially dangerous Request.Form value was detected"
exception with a textbox which I have populated with some source
code. I think I am getting the exception when I click OK on the web
page, but that is one of my question, so I am not sure ;)
I am reading how to disable request validation,
http://www.asp.net/faq/RequestValidation.aspx#5
but I dont want to do that. I would rather catch the exception. But I
guess that...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |