ValidateRequest="false" ?

Raterus · Aug 20, 2004

I'm having to set ValidateRequest="false" on one of my pages because users need to enter a value that contains an html tag (well asp.net think it is anyway). I understand why the "potentially dangerous request.form detected" error and why it is being thrown, but my question is:

What could a malicious user possibly do to my application by putting HTML fields within a form field? Is there a vulnerability I should know about in asp.net, or would bad coding on my part really only be the thing I need to worry about if ValidateRequest="false".

Thanks for any insight!
--Michael

Joe Kaplan \(MVP - ADSI\) · Aug 20, 2004

The main issue is Cross Site Scripting. If your site takes input from the
user and then displays it back to the user without first validating it, you
could potentially allow a bad guy to use your site to which is trusted by
your users to steal their cookies or other data.

The built-in request validation stuff in 1.1 tries to keep you from shooting
yourself in the foot by not allowing you to accidentally do this. If you
are careful, it is safe to turn the behavior off, but you need to make sure
you thoroughly validate all input before returning it back to the browser.

HTH,

Joe K.

I'm having to set ValidateRequest="false" on one of my pages because users
need to enter a value that contains an html tag (well asp.net think it is
anyway). I understand why the "potentially dangerous request.form detected"
error and why it is being thrown, but my question is:

What could a malicious user possibly do to my application by putting HTML
fields within a form field? Is there a vulnerability I should know about in
asp.net, or would bad coding on my part really only be the thing I need to
worry about if ValidateRequest="false".

Thanks for any insight!
--Michael

Jos · Aug 21, 2004

Raterus said:
I'm having to set ValidateRequest="false" on one of my pages because
users need to enter a value that contains an html tag (well asp.net
think it is anyway). I understand why the "potentially dangerous
request.form detected" error and why it is being thrown, but my
question is:

What could a malicious user possibly do to my application by putting
HTML fields within a form field? Is there a vulnerability I should
know about in asp.net, or would bad coding on my part really only be
the thing I need to worry about if ValidateRequest="false".

Thanks for any insight!
--Michael

Here's a brief article on script attacks:
http://www.asp.net/faq/requestvalidation.aspx

ValidateRequest Issues	0	Feb 16, 2008
ValidateRequest question	3	Jul 12, 2005
ValidateRequest problem	0	Jun 8, 2006
validateRequest="false" not working in web.config or page directive	2	May 16, 2004
About validateRequest	1	Feb 20, 2004
validateRequest ="false" for single control or on demand for page?	0	Oct 19, 2006
ValidateRequest="false" error	0	Jun 27, 2003
ValidateRequest=False HtmlEncode and The Best Method	1	Sep 5, 2006

ValidateRequest="false" ?

Raterus

Joe Kaplan \(MVP - ADSI\)

Jos

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads