I have a slight problem with an ASP.net application - the XSS request validation (i.e. the one that throws 'a potentially dangerous request.form value...' exception), does not seem to be working correctly for us.
I have the following simple test form in our site:
<%# Page Language="VB" AutoEventWireup="false" CodeFile="Test2.aspx.vb"
Inherits="Test2" %>
<form id="form1" runat="server">
<asp:textbox ID="Textbox1" runat="server" ></asp:textbox>
<asp:Button ID="btnSubmit" runat="server" Text="Uh oh" />
</form>
And the following in our web.config for the httpRuntime element:
<httpRuntime maxRequestLength="8192" />
If I enter the following text into the textbox:
<script>alert('XSS!');</script>
The form posts with no error, where I would expect it to error out, complaining about the 'potentially dangerous... etc.'. I put an click event handler in for the button and call Request.ValidateInputs() and still no problems. Watching the Request variable, I can see a property call ValidateInputCalled, which is true even before my explicit call...
We are targeting v4.0 of the framework and I have found that if I edit the httpRuntime element like so:
<httpRuntime maxRequestLength="8192" requestValidationMode="2.0" />
Then the page request validation starts to work like I would expect (but I don't think that this should be necessary). The only other thing in the configuration like this is a set of rules such as this:
<location path="Admin/News.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
Which we use to allow us to turn off the validation for a select set of pages (turned off at page level), where the user is permitted to submit a select set of HTML tags in their text.
This was definitely working previously. Does anybody know why this may not be working now? I don't want to have to revert to v2.0 request validation mode for the entire site.
Just tried a new web site project, single page, same as above and the request validation error IS firing. Our web.config for the original site is quite large - does anyone know of other properties within this file that can affect the request validation? The pages node in the config file looks like the following:
<pages enableEventValidation="false" enableSessionState="true"
enableViewStateMac="true"
viewStateEncryptionMode="Always"
controlRenderingCompatibilityVersion="3.5"
clientIDMode="AutoID">
I also had the same problem, but in my case it was a try-catch in global.asax's Application_BeginRequest which caught the error when accessing HttpContext.Current.Request.Form and then just swollowed it. Had something to do with a cookie fix for uploadify
I stumbled on this question while tracking down a similar issue. Mine turned out to be the fact that the page in question was POSTing its data as JSON, and the default JSON model binder does not perform the ASP.NET request validation. I eventually found a blog post by Imran Baloch describing this known behavior and a work around for it: http://forums.asp.net/t/1682096.aspx?MVC3+JSON+Security.
I know this wasn't the OP's issue, but maybe others will find it useful.
I've found the same problem if you install Glimpse
The following line in web.config totally stops request validation from happening - no matter what your Glimpse settings are:
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
</modules>
</system.webServer>
OK. We took our configuration file to a brand new site with a single page, and systematically started removing sections until we found the problem.
We use a third party library for some of the controls in our site, and we found that removing this section:
<httpModules>
<add name="CallbackManager"
type="Dart.PowerWEB.LiveControls.CallbackManager,Dart.PowerWEB.LiveControls"/>
</httpModules>
Fixes the problem for us (but gives us a few issues elsewhere).
Related
I'm currently developing a web project in VB.net.
I have run into some errors experienced more in IE11 than any other browser. I have researched all options related to turning the project cookieless, changed my variables and such around, and tried to make the project as sound as possible for all browsers, but to no avail.
My next step is to enable Trace Logging for the site so that I may ascertain the identity of the error.
The error I am getting is thus:
As I've siad, I've looked into the dropdownlist that is described in the error. I've changed it. Done everything I could
Thing is, I use the same page (in a sense) on another webpage, and the error does not occur. Similiary, in Chrome, Firefox even IE9 there is no error. Only in IE11.
As I said, I would like to implement Trace Logging. Now I have in my web.config
<system.diagnostics>
<trace autoflush="true">
<listeners>
<add name="WebPageTraceListener"
type="System.Web.WebPageTraceListener, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" initializeData="C:\Diagnostics\trace.svclog"/>
</listeners>
</trace>
I have set the initializeData to the C drive for testing (for me) and because I would like to see if another PC gets the error, hence the log should go to their machine.
My
<customErrors>
is set to off.
Yet there is no file! In my web.config, I had
<trace enabled="false" requestLimit="10" pageOutput="false" traceMode="SortByTime" localOnly="true" writeToDiagnosticsTrace="true" />
But removed everything expect for
writeToDiagnosticsTrace="true"
But still nothing.
I followed Walkthrough: Integrating ASP.NET Tracing with System.Diagnostics Tracing, specifically the sections on logging through the web.config. I focused on the section titled
Routing All Tracing Output to .NET Framework Tracing
but following this, I thought I would get a file or something. But nothing came.
How do I get the trace file? Am I doing something wrong in the web.config? The user has full access to the folder.
Can this even be done?
I had this in a C# WPF application that logged only critical erros
<system.serviceModel>
<diagnostics>
<messageLogging logEntireMessage="true" maxMessagesToLog="300" logMessagesAtServiceLevel="true" logMalformedMessages="true" logMessagesAtTransportLevel="true" />
</diagnostics>
Can I do the same for a web project?
What more can I do?
Your help is greatly appreciated
EDIT
Apologies for not posting what I'm trying to do.
On page load, the dropdownlist is populated
ddlMedicalAid.DataSource = objMedicalAids
ddlMedicalAid.DataValueField = "MedicalAidID"
ddlMedicalAid.DataTextField = "Name"
ddlMedicalAid.DataBind()
Now when the page is rendered, the values are present, and the selected value in this case would be
Medical Aid 1
When the user enters text and clicks search, the method calls a service, in which the selected medical aid's value and the text is sent. The text has a required validator on it, so there is no way that a null value is passed there. It is for some reason the dropdownlist
Dim objTransactions As ArrayList
objTransactions = Managers.Transaction.GetTransactionsByMedicalAid(ddlMedicalAid.SelectedValue, strMember)
Believe it or not, I just had to change the current .browser file to accommodate the various browsers. This eliminated the main error, working in Chrome, but not in IE11. I just thought getting a tracer would help. Seems this did it
For more help, Browser Definition File Schema (browsers Element)
It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting
<customErrors defaultRedirect="~/generalerror.html?" mode="On" />
As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like
http://website.com/?x="<p>"
http://website.com/"<p>"
BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this
http://website.com/&x="<p>"
totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?
If I turn mode="Off" in the web.config I get the following error
A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").
Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.
You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.
To change this behavior, you can set request validation to false in web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
But in this case, requests need to be validated in the pages.
Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.
<httpRuntime requestValidationMode="2.0" />
I want to be able to save things like:
<script src="https://spreadsheets.google.com/gpub?url=http%3A%2F%2Foj0ijfii34kccq3ioto7mdspc7r2s7o9-ss-opensocial.googleusercontent.com%2Fgadgets%2Fifr%3Fup_title%3DBrands%26up_initialstate%26up__table_query_url%3Dhttps%253A%252F%252Fspreadsheets.google.com%252Fspreadsheet%252Ftq%253Frange%253DA%25253AE%2526key%253D0AqFjLMbUaBn_>
In an nvarchar(max) field, I get the following when I try to insert:
"Server Error in
'/TheScienceAndArtOfDataVisualization'
Application. A potentially dangerous
Request.Form value was detected from
the client
(ctl00$MainContent$txtCode="<script
src="https:/...")."
DeadYCool's answer will work if you want to disable request validation on all pages, if you just want to disable it on a specific page, you can set ValidateRequest="false" in the Page directive of the .aspx file.
<%# Page ValidateRequest="false"...
If you're using ASP.NET 4.0 you may also have to make a change to web.config:
<configuration>
<system.web>
<!-- Sad requirement to allow ValidateRequest="false" -->
<httpRuntime requestValidationMode="2.0" />
But it should be avoided if possible.
Please try not to disable this. HtmlEncode your results before you send them to the server. Disabling disabled some built in protections. Either way also use the Anti Cross site scripting libraries GetSafeHtmlFragment. By allowing html you can open yourself up to a cross site scripting attack. See my talk here to understand the issues:
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011/DEV333
In web.config find the following:
<pages validateRequest="true">
and change to:
<pages validateRequest="false">
I've seen this error before but cannot seem to get around it. In this case, I have an ASHX page spitting out a simple HTML form with a textbox into which XML may be posted. When I try to read the form, I receive the "A potentially dangerous Request.Form value...".
Since it's a generic handler the "ValidateRequest" attribute isn't available. However I already had this defined in web.config:
<location path="xml/MyGenericHandler.ashx">
<system.web>
<pages validateRequest="false" />
</system.web>
</location>
This snippet predates a move from .NET 3.5 to 4.0 so I'm guessing that's where the breakage originated.
Any idea how to get around this error for ASHX pages?
The 3.5-4.0 change that clipped you was some stepped up runtime security features for ASP.NET 4.0. The quick fix is to apply the following attribute:
<httpRuntime requestValidationMode="2.0" />
Unfortunately, that opens all pages up to 2.0 request validation, so I'd only do this if you've got a relatively small attack surface.
While not a direct answer to your question, I would say to read this previous post. it does give you a way to ensure that the error is not thrown. It's a risky way in one sense, because it means turning off a basic protection. However, the answer is well-reasoned, and the it clearly states that you should only implement it when you're absolutely sure you're encoding all output.
A potentially dangerous Request.Form value was detected from the client
As a side note, I would also recommend using the Microsoft Anti-Xss Library rather than the built in Server.HtmlEncode functions.
However, if you can modify the ashx, a simpler solution would be to just modify the error code and add an "if" statement to not log errors if the error message contains the string you want to filter.
You'd better disable validation for you handler page only:
<location path="MyGenericHandler.ashx">
<system.web>
<!-- requestValidationMode is to avoid HTML-validation of data posted to the handler -->
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
Or use this property from within your handler to avoid triggering the exception:
context.Request.Unvalidated.Form
I am using freetextbox and have added to the web.config of my app but I still get the following error when submitting text with html:
A potentially dangerous Request.Form value was detected from the client (ctl00_MainContent_FreeTextBox1="
I know this is not the preferred way to set up an app but why am I getting these errors even though I have turned off request validation in my app?
The short answer is you shouldn't be getting such an error if you turned off Request Validation.
Did you do one of these two things correctly?
Disable on the page by inserting this at the top of the ASPX
Add the below section to your web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
If that doesn't work then check the machine.config and see if the pages validaterequest value is set to true in there as that would override the web.config.
I had the same problem, and it was actually my fault. Maybe you have done the same mistake: I placed <httpRuntime requestValidationMode="2.0"/> inside
<configuration><location><system.web> instead of <configuration><system.web>.
Ensure that you haven't enabled request validation for this page. I would keep validation running for your site - but turn it off on pages where you need this control.
Be sure to sanitize anything that gets posted and be prudent about security.