TechQA.

ASP.NET Request Validator allowed scripts

816 views Asked by At

I have been working on ASP.NET Project My Request Validator is default true As a result dangerous script attacks are not allowed and ASP.NET throws me error Dangerous Requests

<script>alert('hello')</script>

which is very good. security

But why my below script is not blocked,ASP.NET request validator did not blocked below script

<%tag style=xss:expression(alert('hello'))>

This was not blocked and was fired

My Questions

1) <%tag style=xss:expression(alert('hello'))>
why this request was not blocked

2) <script>alert('hello')</script> 
This request was blocked and ASP.NET throws me to yellow error page
Is there any way to show error on the same page

Please Help

Thanks

c# asp.net request-validation
Original Q&A
1

There are 1 answers

0
Abdul Rehman Sayed On

1) This article might help you understand validaterequest better : https://infosecauditor.wordpress.com/2013/05/27/bypassing-asp-net-validaterequest-for-script-injection-attacks/

Some excerpts :

ValidateRequest is present in ASP.NET versions 1, 2 and 3. ASP.NET version 4 does not use the ValidateRequest filter.

ValidateRequest validates user input and returns false when the following conditions are met:

<a-z     –    A ‘<’ character followed by an alpha character.
<!, </, <?     –    A ‘<’ character followed by a special character.
&,#    –    A special character.

You can write your own custom validator which extends RequestValidator & takes care of these things. Eg:

2) Is there any way to show error on the same page

Yes. but then you will have to validate the input by yourself & say bye to asp.net benefits https://gargmanoj.wordpress.com/tag/httprequestvalidationexception/

No. because an Application Error has happened & asp.net has stopped processing it. But you can definitely show a custom error page.

See the answer here & here:

protected void Application_Error(object sender, EventArgs e)
{
    var context = HttpContext.Current;
    var exception = context.Server.GetLastError();
    if (exception is HttpRequestValidationException)
    {
HttpContext.Current.Server.ClearError();
HttpContext.Current.Response.Redirect("~/ErrorPage.aspx");

        return;
    }
}

There is also an option for AntiXss encoder class for encoding the output values.

<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" />

Related Questions in C#

Related Questions in ASP.NET

Related Questions in REQUEST-VALIDATION

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions