Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Potentially dangerous script - urgent!

Reply
Thread Tools

Potentially dangerous script - urgent!

 
 
=?Utf-8?B?U1RlY2g=?=
Guest
Posts: n/a
 
      04-19-2005
If data you post back contains the following string

on<<any sequence of characters>>=

example: on2q3asdf=

The page will throw the following exception:

A potentially dangerous Request.Form value was detected from the client

This has been fixed in .Net 2.0. Is a hot fix available for 1.1?

Thanks.

 
Reply With Quote
 
 
 
 
Karl Seguin
Guest
Posts: n/a
 
      04-19-2005
You can (and always could) simply disable the validateRequest in 1.1...

http://www.aspnetpro.com/NewsletterA...200403dk_l.asp

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"STech" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...
> If data you post back contains the following string
>
> on<<any sequence of characters>>=
>
> example: on2q3asdf=
>
> The page will throw the following exception:
>
> A potentially dangerous Request.Form value was detected from the client
>
> This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
>
> Thanks.
>



 
Reply With Quote
 
 
 
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      04-20-2005
Thanks for Karl's inputs.

Hi Stech,

As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
=?Utf-8?B?U1RlY2g=?=
Guest
Posts: n/a
 
      04-20-2005
Steven,

Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).

Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.

Thanks.

"Steven Cheng[MSFT]" wrote:

> Thanks for Karl's inputs.
>
> Hi Stech,
>
> As Karl has mentioned, the ASP.NET1.x has provided the request validation
> feature(by default enabled) which will check the comming request data to
> detect whether there are dangerous script or invalid markup code in it. For
> example, scripts , html tags are not allowed in post data. And the one you
> mentioned is also treated as those scripts. If you want to disable this, we
> can use the "ValidateRequest " in @Page directive to disable such
> validation on individual page.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

 
Reply With Quote
 
=?Utf-8?B?RGF2ZSBCYWNoZXI=?=
Guest
Posts: n/a
 
      04-20-2005
STech,

The issue would be DHTML insertion attacks.

Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)

A malicious user could set ImageTextBox.Text to:
"http://www.somesite.com/images/img.jpg'
onload='javascript:do_something_nasty()'"

When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.

Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).



"STech" wrote:

> Steven,
>
> Thanks for the reply. I was aware of the ValidateRequest property and do not
> feel comfortable turning it off (security reasons).
>
> Could you please explain why the sequence on= is treated as potentially
> dangerous?
> Again, it is the sequence that is causing the exception and *not* the '='
> character.
>
> Thanks.
>
> "Steven Cheng[MSFT]" wrote:
>
> > Thanks for Karl's inputs.
> >
> > Hi Stech,
> >
> > As Karl has mentioned, the ASP.NET1.x has provided the request validation
> > feature(by default enabled) which will check the comming request data to
> > detect whether there are dangerous script or invalid markup code in it. For
> > example, scripts , html tags are not allowed in post data. And the one you
> > mentioned is also treated as those scripts. If you want to disable this, we
> > can use the "ValidateRequest " in @Page directive to disable such
> > validation on individual page.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >

 
Reply With Quote
 
Steven Cheng[MSFT]
Guest
Posts: n/a
 
      04-21-2005
Thanks for Dave's detail explanation.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

 
Reply With Quote
 
=?Utf-8?B?U1RlY2g=?=
Guest
Posts: n/a
 
      04-21-2005
Dave,

Thanks for the explanation; so the regex is catching onmouseover=

The regex in 2.0 must be smarter because it does not throw an exception for
on=

Thanks for the explanation.




"Dave Bacher" wrote:

> STech,
>
> The issue would be DHTML insertion attacks.
>
> Lets say that I have forum software, and I'm prompting the user for the URL
> of a forum avatar, which I then load into the src attribute of an image
> element using string.format, like this:
> String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
>
> A malicious user could set ImageTextBox.Text to:
> "http://www.somesite.com/images/img.jpg'
> onload='javascript:do_something_nasty()'"
>
> When the forum image loaded, arbitrary JavaScript would run on the client.
> The client then could proceed to do something nasty.
>
> Since the events available are browser-specific (IE using one set, standards
> compliant browsers using a different set), and may change in the future,
> ASP.NET probably uses a regular expression to protect you from this (which is
> how it should do it, since if IE 8 supports more events, you don't want
> existing pages to become vulnerable).
>
>
>
> "STech" wrote:
>
> > Steven,
> >
> > Thanks for the reply. I was aware of the ValidateRequest property and do not
> > feel comfortable turning it off (security reasons).
> >
> > Could you please explain why the sequence on= is treated as potentially
> > dangerous?
> > Again, it is the sequence that is causing the exception and *not* the '='
> > character.
> >
> > Thanks.
> >
> > "Steven Cheng[MSFT]" wrote:
> >
> > > Thanks for Karl's inputs.
> > >
> > > Hi Stech,
> > >
> > > As Karl has mentioned, the ASP.NET1.x has provided the request validation
> > > feature(by default enabled) which will check the comming request data to
> > > detect whether there are dangerous script or invalid markup code in it. For
> > > example, scripts , html tags are not allowed in post data. And the one you
> > > mentioned is also treated as those scripts. If you want to disable this, we
> > > can use the "ValidateRequest " in @Page directive to disable such
> > > validation on individual page.
> > >
> > > Thanks,
> > >
> > > Steven Cheng
> > > Microsoft Online Support
> > >
> > > Get Secure! www.microsoft.com/security
> > > (This posting is provided "AS IS", with no warranties, and confers no
> > > rights.)
> > >
> > >

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Trapping a ' potentially dangerous Request.QueryString value' John Morgan ASP .Net 1 05-27-2004 06:11 PM
A potentially dangerous querystring ... [ValidateRequest] Boris ASP .Net 5 04-17-2004 05:22 PM
A potentially dangerous Request.Form value was detected from the client amit ASP .Net 1 02-26-2004 09:47 PM
Why Getting 'A Potentially Dangerous Request...' Error? Anil Kripalani ASP .Net 2 02-25-2004 06:39 PM
A potentially dangerous Request.Form Alex Munk ASP .Net 2 12-17-2003 09:11 AM



Advertisments