Potentially dangerous script - urgent!

Discussion in 'ASP .Net' started by =?Utf-8?B?U1RlY2g=?=, Apr 19, 2005.

  1. If data you post back contains the following string

    on<<any sequence of characters>>=

    example: on2q3asdf=

    The page will throw the following exception:

    A potentially dangerous Request.Form value was detected from the client

    This has been fixed in .Net 2.0. Is a hot fix available for 1.1?

    Thanks.
     
    =?Utf-8?B?U1RlY2g=?=, Apr 19, 2005
    #1
    1. Advertising

  2. =?Utf-8?B?U1RlY2g=?=

    Karl Seguin Guest

    You can (and always could) simply disable the validateRequest in 1.1...

    http://www.aspnetpro.com/NewsletterArticle/2004/03/asp200403dk_l/asp200403dk_l.asp

    Karl

    --
    MY ASP.Net tutorials
    http://www.openmymind.net/ - New and Improved (yes, the popup is
    annoying)
    http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
    come!)
    "STech" <> wrote in message
    news:D...
    > If data you post back contains the following string
    >
    > on<<any sequence of characters>>=
    >
    > example: on2q3asdf=
    >
    > The page will throw the following exception:
    >
    > A potentially dangerous Request.Form value was detected from the client
    >
    > This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
    >
    > Thanks.
    >
     
    Karl Seguin, Apr 19, 2005
    #2
    1. Advertising

  3. Thanks for Karl's inputs.

    Hi Stech,

    As Karl has mentioned, the ASP.NET1.x has provided the request validation
    feature(by default enabled) which will check the comming request data to
    detect whether there are dangerous script or invalid markup code in it. For
    example, scripts , html tags are not allowed in post data. And the one you
    mentioned is also treated as those scripts. If you want to disable this, we
    can use the "ValidateRequest " in @Page directive to disable such
    validation on individual page.

    Thanks,

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Apr 20, 2005
    #3
  4. Steven,

    Thanks for the reply. I was aware of the ValidateRequest property and do not
    feel comfortable turning it off (security reasons).

    Could you please explain why the sequence on= is treated as potentially
    dangerous?
    Again, it is the sequence that is causing the exception and *not* the '='
    character.

    Thanks.

    "Steven Cheng[MSFT]" wrote:

    > Thanks for Karl's inputs.
    >
    > Hi Stech,
    >
    > As Karl has mentioned, the ASP.NET1.x has provided the request validation
    > feature(by default enabled) which will check the comming request data to
    > detect whether there are dangerous script or invalid markup code in it. For
    > example, scripts , html tags are not allowed in post data. And the one you
    > mentioned is also treated as those scripts. If you want to disable this, we
    > can use the "ValidateRequest " in @Page directive to disable such
    > validation on individual page.
    >
    > Thanks,
    >
    > Steven Cheng
    > Microsoft Online Support
    >
    > Get Secure! www.microsoft.com/security
    > (This posting is provided "AS IS", with no warranties, and confers no
    > rights.)
    >
    >
     
    =?Utf-8?B?U1RlY2g=?=, Apr 20, 2005
    #4
  5. STech,

    The issue would be DHTML insertion attacks.

    Lets say that I have forum software, and I'm prompting the user for the URL
    of a forum avatar, which I then load into the src attribute of an image
    element using string.format, like this:
    String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)

    A malicious user could set ImageTextBox.Text to:
    "http://www.somesite.com/images/img.jpg'
    onload='javascript:do_something_nasty()'"

    When the forum image loaded, arbitrary JavaScript would run on the client.
    The client then could proceed to do something nasty.

    Since the events available are browser-specific (IE using one set, standards
    compliant browsers using a different set), and may change in the future,
    ASP.NET probably uses a regular expression to protect you from this (which is
    how it should do it, since if IE 8 supports more events, you don't want
    existing pages to become vulnerable).



    "STech" wrote:

    > Steven,
    >
    > Thanks for the reply. I was aware of the ValidateRequest property and do not
    > feel comfortable turning it off (security reasons).
    >
    > Could you please explain why the sequence on= is treated as potentially
    > dangerous?
    > Again, it is the sequence that is causing the exception and *not* the '='
    > character.
    >
    > Thanks.
    >
    > "Steven Cheng[MSFT]" wrote:
    >
    > > Thanks for Karl's inputs.
    > >
    > > Hi Stech,
    > >
    > > As Karl has mentioned, the ASP.NET1.x has provided the request validation
    > > feature(by default enabled) which will check the comming request data to
    > > detect whether there are dangerous script or invalid markup code in it. For
    > > example, scripts , html tags are not allowed in post data. And the one you
    > > mentioned is also treated as those scripts. If you want to disable this, we
    > > can use the "ValidateRequest " in @Page directive to disable such
    > > validation on individual page.
    > >
    > > Thanks,
    > >
    > > Steven Cheng
    > > Microsoft Online Support
    > >
    > > Get Secure! www.microsoft.com/security
    > > (This posting is provided "AS IS", with no warranties, and confers no
    > > rights.)
    > >
    > >
     
    =?Utf-8?B?RGF2ZSBCYWNoZXI=?=, Apr 20, 2005
    #5
  6. Thanks for Dave's detail explanation.

    Steven Cheng
    Microsoft Online Support

    Get Secure! www.microsoft.com/security
    (This posting is provided "AS IS", with no warranties, and confers no
    rights.)
     
    Steven Cheng[MSFT], Apr 21, 2005
    #6
  7. Dave,

    Thanks for the explanation; so the regex is catching onmouseover=

    The regex in 2.0 must be smarter because it does not throw an exception for
    on=

    Thanks for the explanation.




    "Dave Bacher" wrote:

    > STech,
    >
    > The issue would be DHTML insertion attacks.
    >
    > Lets say that I have forum software, and I'm prompting the user for the URL
    > of a forum avatar, which I then load into the src attribute of an image
    > element using string.format, like this:
    > String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
    >
    > A malicious user could set ImageTextBox.Text to:
    > "http://www.somesite.com/images/img.jpg'
    > onload='javascript:do_something_nasty()'"
    >
    > When the forum image loaded, arbitrary JavaScript would run on the client.
    > The client then could proceed to do something nasty.
    >
    > Since the events available are browser-specific (IE using one set, standards
    > compliant browsers using a different set), and may change in the future,
    > ASP.NET probably uses a regular expression to protect you from this (which is
    > how it should do it, since if IE 8 supports more events, you don't want
    > existing pages to become vulnerable).
    >
    >
    >
    > "STech" wrote:
    >
    > > Steven,
    > >
    > > Thanks for the reply. I was aware of the ValidateRequest property and do not
    > > feel comfortable turning it off (security reasons).
    > >
    > > Could you please explain why the sequence on= is treated as potentially
    > > dangerous?
    > > Again, it is the sequence that is causing the exception and *not* the '='
    > > character.
    > >
    > > Thanks.
    > >
    > > "Steven Cheng[MSFT]" wrote:
    > >
    > > > Thanks for Karl's inputs.
    > > >
    > > > Hi Stech,
    > > >
    > > > As Karl has mentioned, the ASP.NET1.x has provided the request validation
    > > > feature(by default enabled) which will check the comming request data to
    > > > detect whether there are dangerous script or invalid markup code in it. For
    > > > example, scripts , html tags are not allowed in post data. And the one you
    > > > mentioned is also treated as those scripts. If you want to disable this, we
    > > > can use the "ValidateRequest " in @Page directive to disable such
    > > > validation on individual page.
    > > >
    > > > Thanks,
    > > >
    > > > Steven Cheng
    > > > Microsoft Online Support
    > > >
    > > > Get Secure! www.microsoft.com/security
    > > > (This posting is provided "AS IS", with no warranties, and confers no
    > > > rights.)
    > > >
    > > >
     
    =?Utf-8?B?U1RlY2g=?=, Apr 22, 2005
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Alex Munk

    A potentially dangerous Request.Form

    Alex Munk, Dec 16, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    595
    Adrijan Josic
    Dec 17, 2003
  2. Anil Kripalani
    Replies:
    2
    Views:
    494
    Eric Lawrence [MSFT]
    Feb 25, 2004
  3. amit
    Replies:
    1
    Views:
    521
    Eric Lawrence [MSFT]
    Feb 26, 2004
  4. Boris
    Replies:
    5
    Views:
    2,539
    Joe Kaplan \(MVP - ADSI\)
    Apr 17, 2004
  5. John Morgan
    Replies:
    1
    Views:
    2,966
    Oleg Ogurok
    May 27, 2004
Loading...

Share This Page