security error

Discussion in 'ASP .Net' started by Ersin Gençtürk, Apr 18, 2005.

  1. onk= -> why this string causes security errors ? it is'nt "<" neighter ">"
    ??
    Ersin Gençtürk, Apr 18, 2005
    #1
    1. Advertising

  2. Ersin Gençtürk

    Brock Allen Guest

    This security check is done on postback data because that syntax could be
    a cross site scripting attack, which means a malicious user posts <script>
    blocks (and perhas other bad things). The typical problem is that most web
    apps don't escape the post data when it's then showed back to other users.
    This means the script gets executed in someone else's browser and it could
    do things like steal cookies. Google for cross site scripting to learn more.

    You can disable this security check via validateRequest="false":

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > onk= -> why this string causes security errors ? it is'nt "<"
    > neighter ">" ??
    >
    Brock Allen, Apr 18, 2005
    #2
    1. Advertising

  3. hi brock ,

    I know about cross site scripting but it should check "<" or ">" but why
    this phrase "onk=" causes an error ? try it.

    "Brock Allen" <> wrote in message
    news:...
    > This security check is done on postback data because that syntax could be
    > a cross site scripting attack, which means a malicious user posts <script>
    > blocks (and perhas other bad things). The typical problem is that most web
    > apps don't escape the post data when it's then showed back to other users.
    > This means the script gets executed in someone else's browser and it could
    > do things like steal cookies. Google for cross site scripting to learn

    more.
    >
    > You can disable this security check via validateRequest="false":
    >
    >

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfpagessection.asp
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    > > onk= -> why this string causes security errors ? it is'nt "<"
    > > neighter ">" ??
    > >

    >
    >
    >
    Ersin Gençtürk, Apr 19, 2005
    #3
  4. Ersin Gençtürk

    Brock Allen Guest

    Yeah, I see that.... Well, the validate request feature is not going to catch
    everything and it's just doing rough checks. So, you can disable the page
    check and do your own.

    BTW, this input is allowed in ASP.NET 2.0. The implementation of the validation
    has changed slightly to not be do restrictive.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > hi brock ,
    >
    > I know about cross site scripting but it should check "<" or ">" but
    > why this phrase "onk=" causes an error ? try it.
    >
    > "Brock Allen" <> wrote in message
    > news:...
    >
    >> This security check is done on postback data because that syntax
    >> could be a cross site scripting attack, which means a malicious user
    >> posts <script> blocks (and perhas other bad things). The typical
    >> problem is that most web apps don't escape the post data when it's
    >> then showed back to other users. This means the script gets executed
    >> in someone else's browser and it could do things like steal cookies.
    >> Google for cross site scripting to learn
    >>

    > more.
    >
    >> You can disable this security check via validateRequest="false":
    >>

    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgen
    > ref/html/gngrfpagessection.asp
    >
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>> onk= -> why this string causes security errors ? it is'nt "<"
    >>> neighter ">" ??
    >>>
    Brock Allen, Apr 19, 2005
    #4
  5. ok.but my question was why this happens ? I know it is causing error.But is
    it a bug? Because it is not a dangereous request for an web application. I
    wonder if is it an encoded character resulting "<" character or what ?


    "Brock Allen" <> wrote in message
    news:...
    > Yeah, I see that.... Well, the validate request feature is not going to

    catch
    > everything and it's just doing rough checks. So, you can disable the page
    > check and do your own.
    >
    > BTW, this input is allowed in ASP.NET 2.0. The implementation of the

    validation
    > has changed slightly to not be do restrictive.
    >
    > -Brock
    > DevelopMentor
    > http://staff.develop.com/ballen
    >
    >
    >
    > > hi brock ,
    > >
    > > I know about cross site scripting but it should check "<" or ">" but
    > > why this phrase "onk=" causes an error ? try it.
    > >
    > > "Brock Allen" <> wrote in message
    > > news:...
    > >
    > >> This security check is done on postback data because that syntax
    > >> could be a cross site scripting attack, which means a malicious user
    > >> posts <script> blocks (and perhas other bad things). The typical
    > >> problem is that most web apps don't escape the post data when it's
    > >> then showed back to other users. This means the script gets executed
    > >> in someone else's browser and it could do things like steal cookies.
    > >> Google for cross site scripting to learn
    > >>

    > > more.
    > >
    > >> You can disable this security check via validateRequest="false":
    > >>

    > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgen
    > > ref/html/gngrfpagessection.asp
    > >
    > >> -Brock
    > >> DevelopMentor
    > >> http://staff.develop.com/ballen
    > >>> onk= -> why this string causes security errors ? it is'nt "<"
    > >>> neighter ">" ??
    > >>>

    >
    >
    >
    Ersin Gençtürk, Apr 19, 2005
    #5
  6. Ersin Gençtürk

    Brock Allen Guest

    The implementation in v1.1 is fairly restrictive and in v2.0 it's changed.
    So perhaps it was a bug and it's fixed in v2.0. I don't know the dev that
    worked on it, so I can't say for sure.

    -Brock
    DevelopMentor
    http://staff.develop.com/ballen



    > ok.but my question was why this happens ? I know it is causing
    > error.But is it a bug? Because it is not a dangereous request for an
    > web application. I wonder if is it an encoded character resulting "<"
    > character or what ?
    >
    > "Brock Allen" <> wrote in message
    > news:...
    >
    >> Yeah, I see that.... Well, the validate request feature is not going
    >> to
    >>

    > catch
    >
    >> everything and it's just doing rough checks. So, you can disable the
    >> page check and do your own.
    >>
    >> BTW, this input is allowed in ASP.NET 2.0. The implementation of the
    >>

    > validation
    >
    >> has changed slightly to not be do restrictive.
    >>
    >> -Brock
    >> DevelopMentor
    >> http://staff.develop.com/ballen
    >>> hi brock ,
    >>>
    >>> I know about cross site scripting but it should check "<" or ">" but
    >>> why this phrase "onk=" causes an error ? try it.
    >>>
    >>> "Brock Allen" <> wrote in message
    >>> news:...
    >>>
    >>>> This security check is done on postback data because that syntax
    >>>> could be a cross site scripting attack, which means a malicious
    >>>> user posts <script> blocks (and perhas other bad things). The
    >>>> typical problem is that most web apps don't escape the post data
    >>>> when it's then showed back to other users. This means the script
    >>>> gets executed in someone else's browser and it could do things like
    >>>> steal cookies. Google for cross site scripting to learn
    >>>>
    >>> more.
    >>>
    >>>> You can disable this security check via validateRequest="false":
    >>>>
    >>> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpg
    >>> en ref/html/gngrfpagessection.asp
    >>>
    >>>> -Brock
    >>>> DevelopMentor
    >>>> http://staff.develop.com/ballen
    >>>>> onk= -> why this string causes security errors ? it is'nt "<"
    >>>>> neighter ">" ??
    >>>>>
    Brock Allen, Apr 19, 2005
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Aaron
    Replies:
    1
    Views:
    339
    John C. Bollinger
    Aug 4, 2003
  2. Marco
    Replies:
    1
    Views:
    2,398
    Roedy Green
    Jan 28, 2006
  3. Akram Baig
    Replies:
    0
    Views:
    319
    Akram Baig
    Apr 7, 2011
  4. Dinis Cruz

    Asp.Net Security Analyser (new security tool by DDPlus)

    Dinis Cruz, Oct 8, 2003, in forum: ASP .Net Security
    Replies:
    2
    Views:
    127
    Dinis Cruz
    Oct 11, 2003
  5. Michael Randrup
    Replies:
    3
    Views:
    284
    Henning Krause [MVP]
    Mar 27, 2006
Loading...

Share This Page