Breaking URL character combinations

[GrantMagic]

I have found that some strange combinations of characters in a URL can cause
an error in my ASP.NET application.
This is regarding URL Paramters

For example:
if i have the URL:
http://www.mysite.com/home.aspx?param=123

my page loads fine

But the URL:
http://www.mysite.com/home.aspx?param=#&

causes an application error.

Two of these combinations i have found are
%23%26
and
%3cb

Why do these combinations of characters cause an application error, and how
can i find out which other characters will.
These two combinations originated from crawlers on my site and at time and
generate hundreds of errors in a few minutes.

At the moment i'm using an Isapi Rewrite to remove these harmful characters,
but would like to know if there is a list of other harmful combinations i
can look out for

Thank you

Grant

 

[Cirrosi]

If in the page attributes you set validaterequest="false" you should not
have any error.
The default value is set to true to prevent the script-injection.

 

[bruce barker]

presumably your code is expecting a number, and blowup when you get a string
like "#&". the crawlers are probably having a hard time parsing you pages,
check that you are generating valid html. run your page output through an
html validation suite. note: you will be stuck with the illegal html that
asp.net generates (bad identitfiers).


-- bruce (sqlwork.com)