Dangerous Request values with ISO Latin-1 codes? - asp.net

I have an Asp.net form ( runat=Server)
Im trying to figure out what is the difference between HTML Entities and ISO Latin-1 codes - and why does one Do cause exception while the other Isnt.
I have input and button
<input type="text" value="<d"/>
<asp:Button ID="s" runat="server" Text="press" />
when I press submit - it goes with Exception which is fine.
1 way to solve it is by encodeUriComponent :
so putting the value :
value="%3Cd"/>
is fine and No expcetion on submit.
Also , as we know - if i put
> or < ( which is html entity) it wont go exception. ( it has other role in Html world - to DISPLAY '<' '>' - and not try to parse them as html...)
(no exception - except the second press - because when its back from the server - the textbox shows <d which is bad...
NOw lets go to the ISO Latin-1 code like here
now lets try to put instead of <d ----> <d
and it goes bang !
1)why do i get an exception in the Latin code and not in the html entity ?
1) what is the difference between them ?
2) when should i use one or another ?
Edit
I know I can disable the checking by set validateRequest = false.
but my questions are not related to this.

Your Latin example contains &#. Those are exactly the characters which trigger a validation error What characters or character combinations are invalid when ValidateRequest is set to true?. So no surprise here.

Related

Testing htmlencode issue in asp.net application

In our application developed in html5 and javascript whenever a user submits(with text contain < and > and #) the form (containing a comments text field )we get the following error:
{"Message":"A potentially dangerous Request.Form value was detected from the client ......
Now the dev team has fixed this issue saying that they handled this at the server side.
Now i want to test different scenarios just to ensure that this issue wont repeat next time and for any other special characters .
Can anyone suggest me the different scenarios i can test here apart from entering the special characters in the comments text box and submitting the form?

XSS: Break out of not-complete encoding

I'm pentesting the ASP.NET application running on Microsoft-IIS/7.5 web server and I'm sending it the following GET request parameters:
&search=aaa%20%*+,-/;<=>^|"'bbb
One of the parameters is search, where I've inputed the value that can be seen above. The value is printed in the returned response two times as follows:
The first parameter:
<input name="nn" type="text" value="aaa %* ,-/;<=>^|"'bbb" class="cc" />
Quoted parameters in the first entry are as follows:
" ==> "
' ==> '
< ==> <
I guess there's no way to break out of there, since the value is escaped and we can't input the " character right. Nevertheless, all parameters are not properly escaped, even though it's not possible to break out.
The second parameter:
<strong>aaa %* ,-/;<=>^|"'bbb</strong>
We can see that all of the characters are presented as they are, but there's a catch. After the < character there can't be any [a-zA-Z0-9] (maybe some other as well) characters, because we're probably getting blocked by the ASP.NET filters.
If we input the following:
&searchQuery=aaa<#script>alert('Hi');<#/script>bbb
We get the following output:
<strong>aaa<#script>alert('Hi');<#/script>bbb</strong>
I'm asking if you see any way to break out of the restrictions and execute arbitrary JavaScript code nevertheless?
THank you
HTML requires the tag name to immediately follow the start tag open delimiter <:
Start tags must have the following format:
The first character of a start tag must be a U+003C LESS-THAN SIGN character (<).
The next few characters of a start tag must be the element's tag name.
[…]
Anything beyond that is up to a browser’s interpretation quirks.
But there are also other tags than element tags like markup declaration tags (<!…>), processing instruction tags (<?…>) and alternative comment tags (<%…%>) that are recognized by certain browsers and allow certain hacks.
Have a look at the common XSS cheat sheets like OWASP’s XSS Filter Evasion Cheat Sheet and the HTML5 Security Cheatsheet, or some HTML fuzzers like Shazzer.

Asp.NET Filtered TextBox Extender - Invalid Char Sequence?

Is it possible to put a character sequence in a Filtered TextBox Extender in Asp.NET? My guess is no, but I'm curious. I want the user to be able to enter the characters (such as & and #), but not enter the invalid sequences (such as &#).
Why not just use a regular expression? Because when the form is submitted, all the fields are passed to the server...including fields that are not part of the validation group. These fields do not get checked and may trigger the "A potentially dangerous Request.Form value…”, aka the HttpRequestValidationException. And preventing that message is the whole point of this. I'd rather tell the user, with a regex validator, what they are doing wrong...but I will settle for preventing them from typing the bad chars (&#, <, >).
Edit: sort of an afterthought, but if there's a better way to prevent ALL TextBoxes from including the characters, that'd be great!
You can just have a function onkeydown for all your text boxes and that checks the character pressed and if it's invalid just remove that last character. Also for your combination strings you can just check to see if the previous characters make it invalid then remove all of them.
An example of that type of function is:
function checkKey(event) {
var code = event.keyCode;
// code is the ascii number of the key.
}

question about Character encoding in Web

let's say I have a JSP Page(i just list part of it, please don't mind):
<%# page language="java" contentType="text/html;charset=UTF-8"%>
<form>
<input type=input>
</input>
中華<!--character with BIG5 encoding>
</form>
and In server side I use this request.setCharacterEncoding("UTF-8");
my problem is:
If i use IME to input Chinese characters into the input box, then when I submit this form, what encoding will the character in the input box is ? WHY?
And if i try to copy the "中華" in the jsp page into the input box and submit the form, in server side, i found the string in the input box is not "UTF-8"(same as the setting in request.setCharacterEncoding) but "BIG5".
And this is in java/jsp, it seems that the request are not really as the setting to be "UTF-8".
why ? can someone tell me something about this ?
But In asp.net, whatever character i input into the input box and post the form, in server side, it will always be UTF-8, and seems to never corrupt.
Why ? does asp.net handle this automatically? it Change the character encoding in the input box into UTF-8 automatically?
I always think that the form post action just treat all the character in the form as some HEX, and will not process them automatically, it just enclose these HEX with header and then send it to server.
But if this idea is true, why the characters will never get corrupted in asp.net?
Thanks in advance!
Identify the point of failure.
中華
The characters you have chosen are (as Unicode codepoints) U+4E2D and U+83EF (in the CJK Unified Ideographs block). On the server, if you take the string you receive and output the values of the constituent characters using Integer.toHexString(mystring.charAt(i)), you should see these values. If this is not the case, there is a problem interpreting data from the client.
You are specifying a page encoding of UTF-8. Encoded as UTF-8, the above characters should take on the following byte sequence values in the rendered HTML:
U+4E2D 0xE4 0xB8 0xAD
U+83EF 0xE8 0x8F 0xAF
So, save the page in the browser as a file and open it in a hex editor - you should see the characters encoded as above.
You can also glean information about what is being sent from the client by sending the form to a servlet, dumping the raw byte input to a file, and inspecting it with a hex editor. It is also worth inspecting the HTTP headers and what character encodings the server and client say they will accept and are sending (see Firebug).

asp.NET MVC Model State Validation Issues

I am having issues adding validation methods to a couple of controls in my MVC app. I use the following to test for the mm/dd/yyyy format:
if (!Regex.IsMatch(candidateToEdit.availability.StartDate.ToShortDateString(), #"giantregex"))
ModelState.AddModelError("availability_StartDate", "Start date must be in the mm/dd/yyyy format.");
//giantregex is a giant regular expression omitted for clarity
In my view I have:
<%= Html.ValidationSummary("Edit was unsuccessful. Please correct the errors and try again.") %>
<%= Html.ValidationMessage("availability_StartDate", "*")%>
For whatever reason the error text is not being displayed, it acknowledges there is an error and the start of the list is generated, but the "Start date must be in the mm/dd/yyyy format." is not displayed. It validates if you put in the date correctly.
I think the problem here is you're testing an actual DateTime type against a regular expression. Because they have entered an invalid date time format in the text box, it is never actually parsed into an actual DateTime where ToShortDateString() could be invoked on it. Therefore your regular expression validation is never actually occurring.
You'll need to adopt the ViewModel pattern where you expose all potential parsing problems as strings first (such as "candidateToEditViewModel.AvailabilityStartDateString") or implement client side validation and program defensively.
I think you need to include a validation summary to get the message
<%= Html.ValidationSummary() %>
EDIT: Try putting a "." instead of a "_" as your property name in the AddModelError call, like this:
Instead of:
ModelState.AddModelError("availability_StartDate", "Start date must be...");
try this:
ModelState.AddModelError("availability.StartDate", "Start date must be...");
The sample you gave works at my testproject. Can you try to reproduce the error in a freshly created project?

Resources