If data you post back contains the following string
on<<any sequence of characters>>=
example: on2q3asdf=
The page will throw the following exception:
A potentially dangerous Request.Form value was detected from the client
This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
Thanks. 6  1757 
You can (and always could) simply disable the validateRequest in 1.1... http://www.aspnetpro.com/NewsletterA...200403dk_l.asp
Karl
--
MY ASP.Net tutorials http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying) http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"STech" <st***@nospam.nospam> wrote in message
news:DD**********************************@microsof t.com... If data you post back contains the following string
on<<any sequence of characters>>=
example: on2q3asdf=
The page will throw the following exception:
A potentially dangerous Request.Form value was detected from the client
This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
Thanks.
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.
Thanks.
"Steven Cheng[MSFT]" wrote: Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
STech,
The issue would be DHTML insertion attacks.
Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
A malicious user could set ImageTextBox.Text to:
"http://www.somesite.com/images/img.jpg'
onload='javascript :do_something_nasty()'"
When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.
Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).
"STech" wrote: Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.
Thanks.
"Steven Cheng[MSFT]" wrote:
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Thanks for Dave's detail explanation.
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
Dave,
Thanks for the explanation; so the regex is catching onmouseover=
The regex in 2.0 must be smarter because it does not throw an exception for
on=
Thanks for the explanation.
"Dave Bacher" wrote: STech,
The issue would be DHTML insertion attacks.
Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
A malicious user could set ImageTextBox.Text to:
"http://www.somesite.com/images/img.jpg'
onload='javascript:do_something_nasty()'"
When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.
Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).
"STech" wrote:
Steven,
Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).
Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.
Thanks.
"Steven Cheng[MSFT]" wrote:
Thanks for Karl's inputs.
Hi Stech,
As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.
Thanks,
Steven Cheng
Microsoft Online Support
Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Anil Kripalani |
last post by:
When a user of our ASP.NET 1.1 application submits a form with the phrase
'manuscript:' in a text field, ASP returns the error 'A potentially
dangerous Request.Form value was detected from the...
|
by: John Morgan |
last post by:
I am attempting to use a try/catch block to trap a querystring which
is caught by ValidateRequest="true" in the @page directive
A simple example of the blockthat does not work is
Try...
|
by: veenakj |
last post by:
Hi
Code snippet
--------------
strErrMsg = "Could not find a part of the path
\"C:\\Temp\\data\\Test.xml\"." }
Server.Transfer("Message.aspx?errormsg=" + Server.UrlEncode(lsErrMsg));...
|
by: Steve Richter |
last post by:
getting this "potentially dangerous Request.Form value was detected"
exception with a textbox which I have populated with some source
code. I think I am getting the exception when I click OK on...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
| |
