«

If data you post back contains the following string

on<<any sequence of characters>>=

example: on2q3asdf=

The page will throw the following exception:

A potentially dangerous Request.Form value was detected from the client

This has been fixed in .Net 2.0. Is a hot fix available for 1.1?

Thanks.

You can (and always could) simply disable the validateRequest in 1.1...

http://www.aspnetpro.com/NewsletterA...200403dk_l.asp

Karl

--
MY ASP.Net tutorials
http://www.openmymind.net/ - New and Improved (yes, the popup is
annoying)
http://www.openmymind.net/faq.aspx - unofficial newsgroup FAQ (more to
come!)
"STech" <> wrote in message
newsDF875DE-4326-40D3-8E7A-...
> If data you post back contains the following string
>
> on<<any sequence of characters>>=
>
> example: on2q3asdf=
>
> The page will throw the following exception:
>
> A potentially dangerous Request.Form value was detected from the client
>
> This has been fixed in .Net 2.0. Is a hot fix available for 1.1?
>
> Thanks.
>

Thanks for Karl's inputs.

Hi Stech,

As Karl has mentioned, the ASP.NET1.x has provided the request validation
feature(by default enabled) which will check the comming request data to
detect whether there are dangerous script or invalid markup code in it. For
example, scripts , html tags are not allowed in post data. And the one you
mentioned is also treated as those scripts. If you want to disable this, we
can use the "ValidateRequest " in @Page directive to disable such
validation on individual page.

Thanks,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Steven,

Thanks for the reply. I was aware of the ValidateRequest property and do not
feel comfortable turning it off (security reasons).

Could you please explain why the sequence on= is treated as potentially
dangerous?
Again, it is the sequence that is causing the exception and *not* the '='
character.

Thanks.

"Steven Cheng[MSFT]" wrote:

> Thanks for Karl's inputs.
>
> Hi Stech,
>
> As Karl has mentioned, the ASP.NET1.x has provided the request validation
> feature(by default enabled) which will check the comming request data to
> detect whether there are dangerous script or invalid markup code in it. For
> example, scripts , html tags are not allowed in post data. And the one you
> mentioned is also treated as those scripts. If you want to disable this, we
> can use the "ValidateRequest " in @Page directive to disable such
> validation on individual page.
>
> Thanks,
>
> Steven Cheng
> Microsoft Online Support
>
> Get Secure! www.microsoft.com/security
> (This posting is provided "AS IS", with no warranties, and confers no
> rights.)
>
>

STech,

The issue would be DHTML insertion attacks.

Lets say that I have forum software, and I'm prompting the user for the URL
of a forum avatar, which I then load into the src attribute of an image
element using string.format, like this:
String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)

A malicious user could set ImageTextBox.Text to:
"http://www.somesite.com/images/img.jpg'
onload='javascript:do_something_nasty()'"

When the forum image loaded, arbitrary JavaScript would run on the client.
The client then could proceed to do something nasty.

Since the events available are browser-specific (IE using one set, standards
compliant browsers using a different set), and may change in the future,
ASP.NET probably uses a regular expression to protect you from this (which is
how it should do it, since if IE 8 supports more events, you don't want
existing pages to become vulnerable).



"STech" wrote:

> Steven,
>
> Thanks for the reply. I was aware of the ValidateRequest property and do not
> feel comfortable turning it off (security reasons).
>
> Could you please explain why the sequence on= is treated as potentially
> dangerous?
> Again, it is the sequence that is causing the exception and *not* the '='
> character.
>
> Thanks.
>
> "Steven Cheng[MSFT]" wrote:
>
> > Thanks for Karl's inputs.
> >
> > Hi Stech,
> >
> > As Karl has mentioned, the ASP.NET1.x has provided the request validation
> > feature(by default enabled) which will check the comming request data to
> > detect whether there are dangerous script or invalid markup code in it. For
> > example, scripts , html tags are not allowed in post data. And the one you
> > mentioned is also treated as those scripts. If you want to disable this, we
> > can use the "ValidateRequest " in @Page directive to disable such
> > validation on individual page.
> >
> > Thanks,
> >
> > Steven Cheng
> > Microsoft Online Support
> >
> > Get Secure! www.microsoft.com/security
> > (This posting is provided "AS IS", with no warranties, and confers no
> > rights.)
> >
> >

Thanks for Dave's detail explanation.

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Dave,

Thanks for the explanation; so the regex is catching onmouseover=

The regex in 2.0 must be smarter because it does not throw an exception for
on=

Thanks for the explanation.




"Dave Bacher" wrote:

> STech,
>
> The issue would be DHTML insertion attacks.
>
> Lets say that I have forum software, and I'm prompting the user for the URL
> of a forum avatar, which I then load into the src attribute of an image
> element using string.format, like this:
> String.Format("<img src='{0}' alt='user avatar'></img>", ImageTextBox.Text)
>
> A malicious user could set ImageTextBox.Text to:
> "http://www.somesite.com/images/img.jpg'
> onload='javascript:do_something_nasty()'"
>
> When the forum image loaded, arbitrary JavaScript would run on the client.
> The client then could proceed to do something nasty.
>
> Since the events available are browser-specific (IE using one set, standards
> compliant browsers using a different set), and may change in the future,
> ASP.NET probably uses a regular expression to protect you from this (which is
> how it should do it, since if IE 8 supports more events, you don't want
> existing pages to become vulnerable).
>
>
>
> "STech" wrote:
>
> > Steven,
> >
> > Thanks for the reply. I was aware of the ValidateRequest property and do not
> > feel comfortable turning it off (security reasons).
> >
> > Could you please explain why the sequence on= is treated as potentially
> > dangerous?
> > Again, it is the sequence that is causing the exception and *not* the '='
> > character.
> >
> > Thanks.
> >
> > "Steven Cheng[MSFT]" wrote:
> >
> > > Thanks for Karl's inputs.
> > >
> > > Hi Stech,
> > >
> > > As Karl has mentioned, the ASP.NET1.x has provided the request validation
> > > feature(by default enabled) which will check the comming request data to
> > > detect whether there are dangerous script or invalid markup code in it. For
> > > example, scripts , html tags are not allowed in post data. And the one you
> > > mentioned is also treated as those scripts. If you want to disable this, we
> > > can use the "ValidateRequest " in @Page directive to disable such
> > > validation on individual page.
> > >
> > > Thanks,
> > >
> > > Steven Cheng
> > > Microsoft Online Support
> > >
> > > Get Secure! www.microsoft.com/security
> > > (This posting is provided "AS IS", with no warranties, and confers no
> > > rights.)
> > >
> > >