Potentially dangerous script - urgent!

G

Guest

If data you post back contains the following string

on<<any sequence of characters>>=

example: on2q3asdf=

The page will throw the following exception:

A potentially dangerous Request.Form value was detected from the client

This has been fixed in .Net 2.0. Is a hot fix available for 1.1?

Thanks.
 
S

Steven Cheng[MSFT]

Thanks for Karl's inputs.

Hi Stech,

As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
 
G

Guest

Steven,

Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).

Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.

Thanks.
 
G

Guest

STech,

The issue would be DHTML insertion attacks.

Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)

A malicious user could set ImageTextBox.Text to:
"http://www.somesite.com/images/img.jpg'
onload='javascript:do_something_nasty()'"

When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.

Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).
 
G

Guest

Dave,

Thanks for the explanation; so the regex is catching onmouseover=

The regex in 2.0 must be smarter because it does not throw an exception for
on=

Thanks for the explanation.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,484
Members
44,903
Latest member
orderPeak8CBDGummies

Latest Threads

Top