HttpRequestValidationException for "On="!?!?!?!

M

Max Metral

I use base64 to encode some cookie values. Today I got a "potentially
dangerous cookie value" error. I've isolated it to anything matching this
pattern:

..*On.*=.*

in other words, anything with "On" in it anywhere and an = in it after that
anywhere causes ASP.Net to barf.

This is certainly unacceptable, what am I missing?
 
N

Natty Gur

one more thing

you can set ValdidateRequest to false but I wouldn't recommend it.
Instead you can you can use string replace to replace "on" and "="
sequences in encryption output as part of your encryption method. Then
replace them back to "=" and "on" while decrypting values.

Natty Gur[MVP]

blog : http://weblogs.asp.net/ngur
Mobile: +972-(0)58-888377
 
C

Calvin Luttrell/ProjectThunder.com

Max,
Try turning Validate Page off.
validateRequest=false in the page header in the aspx page. That feature is there to protect you from code injection attacks. Unless you are hosting a site that is a target for malicious behavior I wouldn't worry too much about it. If you can get around the encoding issue that would be better. Trust in God, but tie up the horses.


-Calvin Luttrell
ProjectThunder.com
 
M

Max Metral

I understand what it's TRYING to do, I think it's just a bit dumb about it.
I guess they're trying to squeeze performance, but obviously this is not
malicious:

CookieX=sodiu2039840978SDFH09*#45On029384098s7dfjh2==

that's just binhex... But the On and the = blow it up.
 
M

[MSFT]

hi Max,

It looks to me you are encoding some values and put them in cookies. I
think you make change the arithmetic to avoid "=" in the encoded string. Is
this possible?

Luke
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
M

Max Metral

Yep, now my base64 looks like this:

Convert.ToBase64String(fooArray).Replace('+','-').Replace('/','_').Replace('
=','#')

Quite an adventure. :)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Handle HttpRequestValidationException gracefully 6
I need some help on a format issue that should be simple for someone here (but not me!) 0
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
Bare metal. 0
Good cross-version ASCII serialisation protocol for simple types 4
Doing post - the second time throws an exception 1
Idk need help in editing this source code 0
Request Validation 3

Members online

No members online now.
Total: 35 (members: 0, guests: 35)
Robots: 449

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,054
Latest member
TrimKetoBoost

Latest Threads

Top