A potentially dangerous Request.QueryString value was detected from the client

Discussion in 'ASP .Net' started by Hardy Wang, Jan 4, 2005.

  1. Hardy Wang

    Hardy Wang Guest

    Hi, I put following value in my query string, then I got this error
    fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

    I am wandering what is wrong with this value? I really cannot understand.

    --
    WWW: http://hardywang.1accesshost.com
    ICQ: 3359839
    yours Hardy
     
    Hardy Wang, Jan 4, 2005
    #1
    1. Advertising

  2. Hardy Wang

    Patrice Guest

    Lookis like it would be iehter * or = that is filtered as malicious...

    Try with those chars...

    Patrice

    --

    "Hardy Wang" <> a écrit dans le message de
    news:e$...
    > Hi, I put following value in my query string, then I got this error
    >

    fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxS
    VaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >
    > I am wandering what is wrong with this value? I really cannot understand.
    >
    > --
    > WWW: http://hardywang.1accesshost.com
    > ICQ: 3359839
    > yours Hardy
    >
    >
     
    Patrice, Jan 4, 2005
    #2
    1. Advertising

  3. Hardy,

    It's being interpreted as an attempt to pass an "onSomething=doSomething();"
    script injection. See the thread at
    http://groups-beta.google.com/group...ecurity/browse_thread/thread/d91d89511401e979
    for more details.

    HTH,
    Nicole


    "Hardy Wang" <> wrote in message
    news:e$...
    > Hi, I put following value in my query string, then I got this error
    > fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >
    > I am wandering what is wrong with this value? I really cannot understand.
    >
    > --
    > WWW: http://hardywang.1accesshost.com
    > ICQ: 3359839
    > yours Hardy
    >
     
    Nicole Calinoiu, Jan 4, 2005
    #3
  4. Hardy Wang

    Hardy Wang Guest

    Not really, if I put
    fx=*47dMwS26lKi3_38XS_xKTlHYszeDo3fa6ffWmzkuXRkdjhiiFem9i87rRdSxQOIPr*zNNMJZeX3Izl7q7pRAO5aAHCxGJwvQcygRjQ6Dp6jR73y6FP1JA==
    Then everything is fine. This value also contains * and ==.

    --
    WWW: http://hardywang.1accesshost.com
    ICQ: 3359839
    yours Hardy
    "Patrice" <> wrote in message
    news:...
    > Lookis like it would be iehter * or = that is filtered as malicious...
    >
    > Try with those chars...
    >
    > Patrice
    >
    > --
    >
    > "Hardy Wang" <> a écrit dans le message de
    > news:e$...
    >> Hi, I put following value in my query string, then I got this error
    >>

    > fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxS
    > VaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >>
    >> I am wandering what is wrong with this value? I really cannot understand.
    >>
    >> --
    >> WWW: http://hardywang.1accesshost.com
    >> ICQ: 3359839
    >> yours Hardy
    >>
    >>

    >
    >
     
    Hardy Wang, Jan 4, 2005
    #4
  5. Hardy Wang

    Hardy Wang Guest

    Thanks, based on your post in that thread, "on=" will cause problem, but in
    my value I only have "oN" then followed by some other strings.

    BTW, I cannot find System.Web.CrossSiteScriptingValidation class.

    --
    WWW: http://hardywang.1accesshost.com
    ICQ: 3359839
    yours Hardy
    "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
    news:%...
    > Hardy,
    >
    > It's being interpreted as an attempt to pass an
    > "onSomething=doSomething();" script injection. See the thread at
    > http://groups-beta.google.com/group...ecurity/browse_thread/thread/d91d89511401e979
    > for more details.
    >
    > HTH,
    > Nicole
    >
    >
    > "Hardy Wang" <> wrote in message
    > news:e$...
    >> Hi, I put following value in my query string, then I got this error
    >> fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >>
    >> I am wandering what is wrong with this value? I really cannot understand.
    >>
    >> --
    >> WWW: http://hardywang.1accesshost.com
    >> ICQ: 3359839
    >> yours Hardy
    >>

    >
    >
     
    Hardy Wang, Jan 4, 2005
    #5
  6. Hardy,

    It's not just "on=" that causes the problem. Mike Kozlowski posted regular
    expressions for the problem patterns in the earlier thread. If you would
    prefer to examine the code yourself, System.Web.CrossSiteScriptingValidation
    is in System.Web.dll. It's visibility is set to internal, so you might need
    to adjust your Reflector settings to see it.

    HTH,
    NIcole




    "Hardy Wang" <> wrote in message
    news:...
    > Thanks, based on your post in that thread, "on=" will cause problem, but
    > in my value I only have "oN" then followed by some other strings.
    >
    > BTW, I cannot find System.Web.CrossSiteScriptingValidation class.
    >
    > --
    > WWW: http://hardywang.1accesshost.com
    > ICQ: 3359839
    > yours Hardy
    > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
    > news:%...
    >> Hardy,
    >>
    >> It's being interpreted as an attempt to pass an
    >> "onSomething=doSomething();" script injection. See the thread at
    >> http://groups-beta.google.com/group...ecurity/browse_thread/thread/d91d89511401e979
    >> for more details.
    >>
    >> HTH,
    >> Nicole
    >>
    >>
    >> "Hardy Wang" <> wrote in message
    >> news:e$...
    >>> Hi, I put following value in my query string, then I got this error
    >>> fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >>>
    >>> I am wandering what is wrong with this value? I really cannot
    >>> understand.
    >>>
    >>> --
    >>> WWW: http://hardywang.1accesshost.com
    >>> ICQ: 3359839
    >>> yours Hardy
    >>>

    >>
    >>

    >
    >
     
    Nicole Calinoiu, Jan 4, 2005
    #6
  7. Hardy Wang

    vMike Guest

    "Hardy Wang" <> wrote in message
    news:e$...
    > Hi, I put following value in my query string, then I got this error
    >

    fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxS
    VaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==
    >
    > I am wandering what is wrong with this value? I really cannot understand.
    >
    > --
    > WWW: http://hardywang.1accesshost.com
    > ICQ: 3359839
    > yours Hardy
    >

    You can turn off the validation, but you need to make sure your code can
    handle malicious encoding. To turn it off
    put validaterequest=false in the @page directive. You may want to
    research it a bit first.
     
    vMike, Jan 4, 2005
    #7
  8. Hardy Wang

    jinusa2007

    Joined:
    Apr 23, 2011
    Messages:
    1
    error is nothing to do with query string

    http://www.asp.net/learn/whitepapers/request-validation

    see this

    <%@ Page validateRequest="false" %>

    Caution: When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed.
    Disabling request validation for your application

    To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the <pages /> section to false:

    <configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration>
     
    jinusa2007, Apr 23, 2011
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. amit
    Replies:
    1
    Views:
    514
    Eric Lawrence [MSFT]
    Feb 26, 2004
  2. Replies:
    5
    Views:
    878
  3. =?Utf-8?B?cmFuZHkgY29sbGlucw==?=

    A potentially dangerous Request.Form value was detected...

    =?Utf-8?B?cmFuZHkgY29sbGlucw==?=, May 26, 2006, in forum: ASP .Net
    Replies:
    0
    Views:
    491
    =?Utf-8?B?cmFuZHkgY29sbGlucw==?=
    May 26, 2006
  4. Jeff
    Replies:
    2
    Views:
    2,735
    Steve C. Orr [MCSD, MVP, CSM, ASP Insider]
    Dec 20, 2008
  5. Josh Sale
    Replies:
    2
    Views:
    311
    Josh Sale
    Feb 9, 2004
Loading...

Share This Page