I use base64 to encode some cookie values. Today I got a "potentially
dangerous cookie value" error. I've isolated it to anything matching this
pattern:
..*On.*=.*
in other words, anything with "On" in it anywhere and an = in it after that
anywhere causes ASP.Net to barf.
This is certainly unacceptable, what am I missing?
6  1290 
one more thing
you can set ValdidateRequest to false but I wouldn't recommend it.
Instead you can you can use string replace to replace "on" and "="
sequences in encryption output as part of your encryption method. Then
replace them back to "=" and "on" while decrypting values.
Natty Gur[MVP]
blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
Max,
Try turning Validate Page off.
validateRequest=false in the page header in the aspx page. That feature is there to protect you from code injection attacks. Unless you are hosting a site that is a target for malicious behavior I wouldn't worry too much about it. If you can get around the encoding issue that would be better. Trust in God, but tie up the horses.
-Calvin Luttrell
ProjectThunder.com I use base64 to encode some cookie values. Today I got a "potentially
dangerous cookie value" error. I've isolated it to anything matching this
pattern:
.*On.*=.*
in other words, anything with "On" in it anywhere and an = in it after that
anywhere causes ASP.Net to barf.
This is certainly unacceptable, what am I missing?
I understand what it's TRYING to do, I think it's just a bit dumb about it.
I guess they're trying to squeeze performance, but obviously this is not
malicious:
CookieX=sodiu2039840978SDFH09*#45On029384098s7dfjh 2==
that's just binhex... But the On and the = blow it up.
"Natty Gur" <na***@dao2com.com> wrote in message
news:uZ**************@tk2msftngp13.phx.gbl... Hi,
ASP.NET 1.1 request validation catches malicious scripting code in the
Cookie Collection, the QueryString, and Forms Posts. It checks all input
data against a list of potentially dangerous values. ( MSDN -
http://msdn.microsoft.com/library/de.../en-us/dnaspp/
html/scriptingprotection.asp)
obviously on with = is suspicious.
Natty Gur[MVP]
blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!
hi Max,
It looks to me you are encoding some values and put them in cookies. I
think you make change the arithmetic to avoid "=" in the encoded string. Is
this possible?
Luke
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Yep, now my base64 looks like this:
Convert.ToBase64String(fooArray).Replace('+','-').Replace('/','_').Replace('
=','#')
Quite an adventure. :)
"[MSFT]" <lu******@online.microsoft.com> wrote in message
news:nW**************@cpmsftngxa10.phx.gbl... hi Max,
It looks to me you are encoding some values and put them in cookies. I
think you make change the arithmetic to avoid "=" in the encoded string.
Is this possible?
Luke
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Justin |
last post by:
Hi. I decided to tidy up some of my queries, but I came across something
that stumpt me:
mysql> SELECT
-> jobs.jobId,
-> jobs.active,
-> jobs.title,
-> jobs.listed,
-> ...
|
by: Cave |
last post by:
Is there a way to install the SQL Reporting Services Client on Whidbey
?
The installer searches the system for an installation of Visual Studio
2003 in order to install the client part of SQL RPS....
|
by: Aaron G via AccessMonster.com |
last post by:
Wanted to share a solution to something which I didn't find on the net:
EVERY form in my Microsoft Access 2002 database gave an error any time any
code was to be called: form OnOpen, button...
|
by: Julio Allegue |
last post by:
I am getting the wrong Count(*) on vb.net using the ExecuteScalar . It
returns all the rows. It doesn't seem to look at the WHERE clause. At
the same time, I am getting the correct count on "SQL...
|
by: Lenonardo |
last post by:
Hi.
I'm writing a VB.Net application to update multiple Excel Worksheets.
I'm using late binding (i.e. all variables are objects + use
createobject)
I develop the application on an XP...
|
by: DraguVaso |
last post by:
Hi,
As a former VB-programmer I'm used to the "on error goto"-errorhandling. I
see that in actually all the VB.NET-samples I can fin people use the "Try -
catch"-errorhandling.
Which of the...
|
by: Serious_Practitioner |
last post by:
Good day, and thank you in advance for any assistance. I'm having trouble
with something that I'm trying for the first time.
Using Access 2000 - I want to run a function either on the click of a...
|
by: 2Barter.net |
last post by:
Date: Feb 24, 2007 12:12 PM
Subject: Re: " Skit Kittie Cat Skit " On "CLICK" to see laughing,
chuckling, chortling, guffawing, giggling, tittering, twittering,
cackling, sniggering; informal...
|
by: Curtis Rutland |
last post by:
OK, I have a question. I have a problem. I'm trying to catch all KeyDown events on a button, but the problem is when I press the "Enter" key, the button's "Click" event is triggered, not the...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
