A potentially dangerous Request.QueryString value was detected from the client

Discussion in 'ASP .Net' started by Hardy Wang, Jan 4, 2005.

  1. Hardy Wang

    Hardy Wang Guest

    Hi, I put following value in my query string, then I got this error
    fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

    I am wandering what is wrong with this value? I really cannot understand.
     
    Hardy Wang, Jan 4, 2005
    #1
    1. Advertisements

  2. Hardy Wang

    Patrice Guest

    Lookis like it would be iehter * or = that is filtered as malicious...

    Try with those chars...

    Patrice
     
    Patrice, Jan 4, 2005
    #2
    1. Advertisements

  3. Nicole Calinoiu, Jan 4, 2005
    #3
  4. Hardy Wang

    Hardy Wang Guest

    Not really, if I put
    fx=*47dMwS26lKi3_38XS_xKTlHYszeDo3fa6ffWmzkuXRkdjhiiFem9i87rRdSxQOIPr*zNNMJZeX3Izl7q7pRAO5aAHCxGJwvQcygRjQ6Dp6jR73y6FP1JA==
    Then everything is fine. This value also contains * and ==.
     
    Hardy Wang, Jan 4, 2005
    #4
  5. Hardy Wang

    Hardy Wang Guest

    Thanks, based on your post in that thread, "on=" will cause problem, but in
    my value I only have "oN" then followed by some other strings.

    BTW, I cannot find System.Web.CrossSiteScriptingValidation class.
     
    Hardy Wang, Jan 4, 2005
    #5
  6. Hardy,

    It's not just "on=" that causes the problem. Mike Kozlowski posted regular
    expressions for the problem patterns in the earlier thread. If you would
    prefer to examine the code yourself, System.Web.CrossSiteScriptingValidation
    is in System.Web.dll. It's visibility is set to internal, so you might need
    to adjust your Reflector settings to see it.

    HTH,
    NIcole
     
    Nicole Calinoiu, Jan 4, 2005
    #6
  7. Hardy Wang

    vMike Guest

    You can turn off the validation, but you need to make sure your code can
    handle malicious encoding. To turn it off
    put validaterequest=false in the @page directive. You may want to
    research it a bit first.
     
    vMike, Jan 4, 2005
    #7
  8. Hardy Wang

    jinusa2007

    Joined:
    Apr 23, 2011
    Messages:
    1
    Likes Received:
    0
    error is nothing to do with query string

    http://www.asp.net/learn/whitepapers/request-validation

    see this

    <%@ Page validateRequest="false" %>

    Caution: When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed.
    Disabling request validation for your application

    To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the <pages /> section to false:

    <configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration>
     
    jinusa2007, Apr 23, 2011
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.