When I try and run a forum page:
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client
In my web.config I have:
<pages validateRequest="false" smartNavigation="false">
And on the actual page I also have:
<%# Page Language="C#" AutoEventWireup="true" ValidateRequest="false" MasterPageFile="~/MasterPages/Main.master" %>
But it keeps throwing this error!
Edit
I fixed it with:
<httpRuntime requestValidationMode="2.0" />
But what's that do and why does it work?
This error occurs because something in the submitted form, or in the querystring, looked dangerous to the validation in ASP.NET.
By adding
<httpRuntime requestValidationMode="2.0" />
you are relaxing the validation that is applied back to the standards of ASP.NET 2.
I would say you are far better off trying to work out exactly what it objects to in your form/querystring than just relaxing the validation. This tightened validation is there to protect you and your users, and shouldn't be relaxed lightly.
I have recently hit this on a project I am working on when we upgraded to ASP.NET MVC3 (from version 2). In our case it actually highlighted an issue whereby we were urlencoding our querystring when we didn't mean to (i.e. the entire quertstring including the question mark and the ampersands was all getting url encoded when it shouldn't be).
Whatever your reason, look for the root cause rather than relax the validation if it is at all possible.
There was probably markup in the submitted text. http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
The request validation feature in
ASP.NET provides a certain level of
default protection against cross-site
scripting (XSS) attacks. In previous
versions of ASP.NET, request
validation was enabled by default.
However, it applied only to ASP.NET
pages (.aspx files and their class
files) and only when those pages were
executing.
In ASP.NET 4, by default, request
validation is enabled for all
requests, because it is enabled before
the BeginRequest phase of an HTTP
request. As a result, request
validation applies to requests for all
ASP.NET resources, not just .aspx page
requests. This includes requests such
as Web service calls and custom HTTP
handlers. Request validation is also
active when custom HTTP modules are
reading the contents of an HTTP
request.
As a result, request validation errors
might now occur for requests that
previously did not trigger errors. To
revert to the behavior of the ASP.NET
2.0 request validation feature, add the following setting in the
Web.config file:
<httpRuntime requestValidationMode="2.0" />
Related
Asp.Net MVC application
When user tries to submit HTML or JavaScript code in query string of action method , getting Internal server error(500) with below exception..
A potentially dangerous Request.QueryString value was detected from the client (userid="'"-->..script..").
I have enabled the custom error mode so that end user is redirecting the custom error page for any XSS attacks.
But when I run NETSPARKER ENTERPRISE SCAN against action method with javascript code in query string , report coming as Internal server error - The server responded with an HTTP status 500.
What is the best practice to handle this internal server issue.
Suggestion: Custom Error handler
I am not sure about best practice, but what I use is <customErrors> in the web.config to redirect the user to a "nice" web page. The page it redirects to can be a plain HTML, ASPX etc. The nice thing is that you can setup a default custom error page, plus individual ones based on HTTP Status Code.
Follows is a snippet from my web.config for a default error code handler, plus one for HTTP 500 (Internal Server Error) which is what you are getting for the A potentially dangerous Request.QueryString value was detected error:
<customErrors mode="On" redirectMode="ResponseRedirect" defaultRedirect="~/dangitall.html">
<error statusCode="500" redirect="~/dangitall500.html" />
</customErrors>
dangitall.html is a standard HTML page for all error. Its overridden by dangitall500.html which will display for HTTP 500 errors. The contents of these HTML pages can be whatever you want: warn the user, abuse the user etc :)
Follows is a link to the Microsoft tech article regarding custom errors and all of the possible attribute settings etc:
https://learn.microsoft.com/en-us/dotnet/api/system.web.configuration.customerror?view=netframework-4.8
I'm currently fixing some Security issues in our ASP.net website application.
One of the issue was that the ViewState was not encrypted.
So I did check on StackOverFlow and elsewhere on how to encrypt the viewState, and I did it using the <pages viewStateEncryptionMode="Always" /> and adding a 3DES machinekey like this <machineKey validation="3DES" /> in Web.config .
I would like to know if the "EnableViewStateMAC=true" is also compulsorily necessary? since this was mentioned in some of the suggested solutions I had found online.
But, on my checks I found the encryption is working even without this.
[NOTE: I had to do these changes at an application level (Web.config) since making individual page changes is not a practical solution for this application.]
Do not ever set EnableViewStateMac to false, even if encryption is enabled. The MAC guarantees that the client cannot maliciously tamper with the contents of ViewState. (Encryption by itself isn't sufficient to guarantee this; the MAC is necessary.)
The EnableViewStateMac property will be removed in a future version of the product since there is no valid reason to set it to 'false'.
Just in case:
Starting with ASP.NET 4.5.2, the runtime enforces EnableViewStateMac = true
more details here: ASP.NET 4.5.2 and EnableViewStateMac
You might want to note that as of September 2014
All versions of the ASP.NET runtime 1.1 - 4.5.2 now forbid setting
<%# Page EnableViewStateMac="false" %>
and
<pages enableViewStateMac="false" />
http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx
It 'll be problem When You host multi server. Because Machine Keys are different.
IF your project runs on single machine. EnableViewStateMAC=true is safely.
Using enableViewStateMac requires that successive requests be forwarded to the same server (i.e. server affinity). This feature is used to help prevent tampering of a page's view state; however, it does so based on an auto-generated validation key on the current server. From this key, a message authentication code (MAC) is generated and sent in the ViewState back to the browser. The problem is that if a POST back is performed and goes to a different server, you will get a nice little error message saying “Corrupt View State“.
To fix this, you can either set enableViewStateMac to false in the element or specify a common value for the validationKey attribute in the element across all servers (in the farm).
By the way, documentation says that this is OFF by default. That is incorrect! Go check machine.config!
I used a new domain. When I set only html pages than site running correct.
But when I use web.config and aspx page then site give an error.
Error is : HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.
You may first check whether web.config is well-formed, next you may change customError's mode to off like the following snippet
<customErrors mode="off" />
The above would reveal any error details related to your aspx or code-behind.
I am receiving this message from a site hosted publicly:
System.Web.HttpException: A potentially dangerous Request.Path value
was detected from the client (&).
I have read articles about using:
<httpRuntime requestPathInvalidCharacters="" />
Not sure how to incorporate or resolve these type of potential dangerous requests. I may not be understanding something.
Thanks for any help understanding...
Try setting ValidateRequest="false" in the page directive. Depending on what version of ASP.NET you're using, you may also need to add the following web.config setting:
<httpRuntime requestValidationMode="2.0" />
Important Note
By disabling the default request validation, you should be prepared to detect and handle potentially malicious content manually in your logic.
I had web site I launched it on server and it worked well internal but when it being online this error appear in registration form
<error>
Invalid postback or callback argument. Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%# Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
That error is being displayed because you've entered something in the form that isn't deemed as safe by the validator. This is used in order to stop injection attacks, such as typing malicious javascript in the form.
If you type in the same things locally and "online" and still get that error, check to see if you have it turned off locally and turned on in your production environment.
It is recommended however to have enableEventValidation="true" since it gives you a lot of security for free.