I first searched for this issue on stack & some other sites & implemented solution in web.config file but still getting the error..
My web.config
<system.web>
<compilation debug="true" strict="false" explicit="true" targetFramework="4.5.2"/>
<httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" targetFramework="4.5.2" requestValidationMode="2.0"/>
<customErrors mode="Off"/>
<trust level="Full"/>
<pages validateRequest="false">
<namespaces>
<add namespace="System.Runtime.Serialization"/>
<add namespace="System.ServiceModel"/>
<add namespace="System.ServiceModel.Web"/>
</namespaces>
</pages>
</system.web>
I am trying to get Iframe source values from my db table. It's google map I want to include in my page..
This error signals that you are issuing web request with '<' character, and Asp.Net has some prevention against using potentially malicious characters. You should probably set
<system.web><httpRuntime requestPathInvalidCharacters="" /><pages validateRequest="false" /></system.web>
See also http://www.christophercrooker.com/use-any-characters-you-want-in-your-urls-with-aspnet-4-and-iis
But keep in mind that you are switching off functionality that exists to make it harder for attackers to break your web application. So, if I were you, I would first think if I can change the app to not use forbidden chars in URLs
Related
I've got an MVC webpage with Windows authentication where users log in using domain credentials. Here are my auth web.config settings:
<system.web>
<compilation debug="true" targetFramework="4.6.1" />
<httpRuntime targetFramework="4.5" maxQueryStringLength="32768" maxUrlLength="65536" />
<customErrors mode="Off" />
<authentication mode="Windows" />
<authorization>
<allow roles="NG\All-Trained-Users" />
<deny users="*" />
</authorization>
<hostingEnvironment shadowCopyBinAssemblies="false" />
<pages>
<namespaces>
<add namespace="System.Web.Helpers" />
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization" />
<add namespace="System.Web.Routing" />
<add namespace="System.Web.WebPages" />
</namespaces>
</pages>
<identity impersonate="true" />
</system.web>
However, access to shared resources is denied in the app.
Users are prompted for Windows auth after the global.asax.cs Application_Start() method finishes. In that method, the app has access to shared resources. For example, Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "true". My understanding is the logged-in Windows user identity is being used to authenticate access -- right?
I'm using the same credentials to log into Windows and to log into the webpage. However, when I log into the webpage, something changes, because Console.Writeline(Directory.Exists("\\existing\shared\directory")) prints "false" as the first line of the Index() method. Trying to access a file returns a System.UnauthorizedAccessException . Are those credentials treated differently within MVC?
System.Environment.UserName and System.Environment.UserDomainName return the same values in both Application_Start() and Index(). In File Explorer this user can navigate to the shared location and access files just fine. The network location lists the user as having access.
I've run out of places I know to look to fix this problem. I'm sure if I look in the right place it will show the wrong user or wrong domain or wrong authentication method, but I don't know where to look. Any hints for where I should go?
I'm going to blame the pandemic for this one. Evidently, when our office moved to remote and began using the VPN, our VPN settings triggered additional security features in IIS Express:
When using Integrated Security, anonymous access is disabled, and impersonation is turned on, a security measure kicks in and doesn't allow your site to access resources on any network servers.
We could probably track down a more secure fix to the VPN settings, but our temporary solution while out of office is to not use impersonation while debugging over the VPN.
The script crashes over timeout. Where can I customize? I understand that in the application itself in web.config you need to register something like
<system.web>
<httpRuntime executionTimeout="10000" />
</system.web>
If I understand correctly, then I don’t understand where exactly to put this tag?
I have this structure in web.config
configuration
location
system.webServer
security
handlers
aspNetCore
You can configure this sitewide as a child of the configuration node.
https://learn.microsoft.com/en-us/dotnet/framework/configure-apps/file-schema/web/
You can also configure them with more granularity, as a child of your location node(s)
<location path="foo">
<system.web>
<!-- Set execution timeout to 6 minutes -->
<httpRuntime executionTimeout="360" />
</system.web>
</location>
I'm trying to build a simple Web Service application in ASP.NET C# and make a call from another project written in PHP. The problem when I make an AJAX call I get this error:
POST http://localhost:49566/WebApplication2/ReviewService.asmx/getReviewById net::ERR_CONNECTION_REFUSED
I have added "Access-Control-Allow-Origin" in my Web.config:
<configuration>
<connectionStrings>
<add name="localDatabase" connectionString="Server=localhost;Database=mydb;Uid=root;Pwd=gameover;" />
</connectionStrings>
<system.web>
<authorization>
<allow users="*"/>
</authorization>
<compilation debug="true" targetFramework="4.5" />
<httpRuntime targetFramework="4.5" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol>
</system.webServer>
This is my $.ajax call from PHP:
$( document ).ready(function() {
$.ajax( {
method:'post',
data: {user_id: 1},
url:'http://localhost:49566/WebApplication2/ReviewService.asmx/getReviewById',
success:function(data) {
alert(data);
}
})
});
I really don't know what is the problem here. Thanks for your help
I've had similar problems when running in Visual Studio debugger (VS2013). In debugger everything worked great (when running inside VS), but when I stopped debugger, site was no longer available.As it turned out, it was setting "Edit and continue" which was enabled on ASP.NET project, which is enabled by default. Turning this setting off made my site (or webservice) available on localhost even when I stopped debugger. I also got ERR_CONNECTION_REFUSED when trying to browse to a site, before turning this setting off. That means you are not able to correct code while debugging, but that was ok for me.
I have a web role
Its web.config has a following lines
<system.web>
<compilation debug="false" targetFramework="4.5.1" />
When I want to debug my role each time I need to switch that option to true.
Can I generate only for debug web.config with debug="true"?
While compiling I have see the transforming step:
Transformed Web.config using C:\data\Main\WebRole\Web.Debug.config into C:\data\Main\obj\x64\Debug\WebRole.csproj\TransformWebConfig\transformed\Web.config.
Can I customize the above transformation?
There is a guidance http://msdn.microsoft.com/en-us/library/vstudio/dd465318(v=vs.100).aspx for that purpose but I am not sure how to write a transformation for specific case
Ive defined the following transformation in theWeb.Debug.Config`
<system.web>
<compilation debug="true"
xdt:Transform="Replace">
</compilation>
</system.web>
I still can`t debug and asked to change the value manually
The web.debug.config is not used when you are running/debugging from sources : Use Visual Studio web.config transform for debugging
It easier to set debug="true" in Web.config and remove it using Web.release.config.
Sample Web.Release.Config :
<?xml version="1.0"?>
<configuration xmlns:xdt="http://schemas.microsoft.com/XML-Document-Transform">
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
</system.web>
</configuration>
I am getting error on file upload in asp.net and the file size is 780kb but it is uploading 147 bytes successfully
i did set this in web.config file but still getting error any idea why?
<system.web>
<compilation debug="true" targetFramework="4.0" />
<httpRuntime maxRequestLength="1000000" executionTimeout="360"/>
<!--<httpRuntime maxRequestLength="10000" requestValidationMode="2.0" executionTimeout="360"/>-->
</system.web>
It doesn't appear to be related to the file size - you would get a different error code. HTTP 400 usually indicates some problem in the request header. Do a Fiddler capture of the transaction to see what is actually being sent.
There could be another web.config on AdminPanel level that overrides the site level setting.
Another option: upload could be done with Base64 encoding that makes data about 1.4 times bigger than file size (+ headers of the request). Make sure to set restriction accordingly.
Write the code as follows in web.config:
<configuration>
<system.web>
<httpRuntime maxRequestLength="600000" />
</system.web>
</configuration>