Difference between revisions of "ASP.NET Request Validation"

From OWASP
Jump to: navigation, search
(New page: ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. ==ASP...)
 
Line 3: Line 3:
 
==ASP.NET 1.1 Request Validation Summary==
 
==ASP.NET 1.1 Request Validation Summary==
  
  *Filter  "&#"
+
*Filter  "&#"
  *Filter  ‘<’ then alphas or ! or / (tags)
+
*Filter  ‘<’ then alphas or ! or / (tags)
  *Filter  "script:"
+
*Filter  "script:"
  *Filter  on handlers (onXXX=)
+
*Filter  on handlers (onXXX=)
  *Filter “expression(“
+
*Filter “expression(“
  *Ignore elements named "__VIEWSTATE"
+
*Ignore elements named "__VIEWSTATE"
  
 
==ASP.NET 2.0 Request Validation Summary==
 
==ASP.NET 2.0 Request Validation Summary==
  
  *Filter  &#
+
*Filter  &#
  *Filter  ‘<’ then alphas or ! or / (tags)
+
*Filter  ‘<’ then alphas or ! or / (tags)
  *Ignore elements with names prefixed with double underscore (__)
+
*Ignore elements with names prefixed with double underscore (__)
  
To disable request validation:
+
===To toggle request validation (it is set to true by default):===
  
 
On a single page:
 
On a single page:
  
   <%@ Page validateRequest="false" %>
+
   <%@ Page validateRequest="true|false" %>
  
 
For the entire application:
 
For the entire application:
Line 26: Line 26:
 
   <configuration>
 
   <configuration>
 
     <system.web>
 
     <system.web>
           <pages validateRequest="false" />
+
           <pages validateRequest="true|false" />
 
     </system.web>
 
     </system.web>
 
   </configuration>
 
   </configuration>

Revision as of 08:57, 29 April 2008

ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.

Contents

ASP.NET 1.1 Request Validation Summary

  • Filter "&#"
  • Filter ‘<’ then alphas or ! or / (tags)
  • Filter "script:"
  • Filter on handlers (onXXX=)
  • Filter “expression(“
  • Ignore elements named "__VIEWSTATE"

ASP.NET 2.0 Request Validation Summary

  • Filter &#
  • Filter ‘<’ then alphas or ! or / (tags)
*Ignore elements with names prefixed with double underscore (__)

To toggle request validation (it is set to true by default):

On a single page:

 <%@ Page validateRequest="true|false" %>

For the entire application:

 <configuration>
    <system.web>
         <pages validateRequest="true|false" />
    </system.web>
 </configuration>

References

Validation - Preventing Script Attacks
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)