A potentially dangerous Request.QueryString value was detected from the client

[Hardy Wang]

Hi, I put following value in my query string, then I got this error
fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

I am wandering what is wrong with this value? I really cannot understand.

 

[Patrice]

Lookis like it would be iehter * or = that is filtered as malicious...

Try with those chars...

Patrice

 

[Nicole Calinoiu]

Hardy,

It's being interpreted as an attempt to pass an "onSomething=doSomething();"
script injection. See the thread at
http://groups-beta.google.com/group...ecurity/browse_thread/thread/d91d89511401e979
for more details.

HTH,
Nicole

 

[Hardy Wang]

Not really, if I put
fx=*47dMwS26lKi3_38XS_xKTlHYszeDo3fa6ffWmzkuXRkdjhiiFem9i87rRdSxQOIPr*zNNMJZeX3Izl7q7pRAO5aAHCxGJwvQcygRjQ6Dp6jR73y6FP1JA==
Then everything is fine. This value also contains * and ==.

 

[Hardy Wang]

Thanks, based on your post in that thread, "on=" will cause problem, but in
my value I only have "oN" then followed by some other strings.

BTW, I cannot find System.Web.CrossSiteScriptingValidation class.

 

[Nicole Calinoiu]

Hardy,

It's not just "on=" that causes the problem. Mike Kozlowski posted regular
expressions for the problem patterns in the earlier thread. If you would
prefer to examine the code yourself, System.Web.CrossSiteScriptingValidation
is in System.Web.dll. It's visibility is set to internal, so you might need
to adjust your Reflector settings to see it.

HTH,
NIcole

 

[vMike]

Hi, I put following value in my query string, then I got this error
fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxS
VaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

I am wandering what is wrong with this value? I really cannot understand.

You can turn off the validation, but you need to make sure your code can
handle malicious encoding. To turn it off
put validaterequest=false in the @page directive. You may want to
research it a bit first.

 

[jinusa2007]

error is nothing to do with query string

http://www.asp.net/learn/whitepapers/request-validation

see this

<%@ Page validateRequest="false" %>

Caution: When request validation is disabled, content can be submitted to a page; it is the responsibility of the page developer to ensure that content is properly encoded or processed.
Disabling request validation for your application

To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the <pages /> section to false:

<configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration>