Difference between revisions of "ASP.NET Request Validation"

From OWASP
Jump to: navigation, search
m (<? is also considered as a dangerous tag in ASP.NET 2.0)
(4 intermediate revisions by one user not shown)
Line 13: Line 13:
 
==ASP.NET 2.0 Request Validation Summary==
 
==ASP.NET 2.0 Request Validation Summary==
  
*Filter  &#
+
*Filter  "&#"
*Filter  ‘<’ then alphas or ! or / (tags)
+
*Filter  ‘<’ then alphas or ! or / or ? (tags)
*Ignore elements with names prefixed with double underscore (__)
+
*Ignore elements with names prefixed with double underscore (__)
  
  
 +
==ValidateRequest Setting==
 
===To toggle request validation (it is set to true by default):===
 
===To toggle request validation (it is set to true by default):===
  
Line 33: Line 34:
  
 
===References===
 
===References===
[http://www.asp.net/learn/whitepapers/request-validation/|Request Validation - Preventing Script Attacks]<br/>
 
 
[http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/ ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)]
 
[http://phed.org/2008/04/23/aspnet-20-dumbs-down-request-validation/ ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)]
 +
 +
[http://keepitlocked.net/archive/2007/10/30/asp-net-validaterequest-and-the-html-attribute-based-cross-site-scripting.aspx ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting]
  
 
[[Category:OWASP .NET Project]]
 
[[Category:OWASP .NET Project]]

Revision as of 09:04, 31 January 2011

ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.

Contents

ASP.NET 1.1 Request Validation Summary

  • Filter "&#"
  • Filter ‘<’ then alphas or ! or / (tags)
  • Filter "script:"
  • Filter on handlers (onXXX=)
  • Filter “expression(“
  • Ignore elements named "__VIEWSTATE"


ASP.NET 2.0 Request Validation Summary

  • Filter "&#"
  • Filter ‘<’ then alphas or ! or / or ? (tags)
  • Ignore elements with names prefixed with double underscore (__)


ValidateRequest Setting

To toggle request validation (it is set to true by default):

On a single page:

 <%@ Page validateRequest="true|false" %>

For the entire application:

 <configuration>
    <system.web>
         <pages validateRequest="true|false" />
    </system.web>
 </configuration>

References

ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)

ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting