A potentially dangerous Request.QueryString value was detected from the client

  • Thread starter Thread starter Hardy Wang
  • Start date Start date
H

Hardy Wang

Hi, I put following value in my query string, then I got this error
fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxSVaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

I am wandering what is wrong with this value? I really cannot understand.
 
Lookis like it would be iehter * or = that is filtered as malicious...

Try with those chars...

Patrice
 
Not really, if I put
fx=*47dMwS26lKi3_38XS_xKTlHYszeDo3fa6ffWmzkuXRkdjhiiFem9i87rRdSxQOIPr*zNNMJZeX3Izl7q7pRAO5aAHCxGJwvQcygRjQ6Dp6jR73y6FP1JA==
Then everything is fine. This value also contains * and ==.
 
Thanks, based on your post in that thread, "on=" will cause problem, but in
my value I only have "oN" then followed by some other strings.

BTW, I cannot find System.Web.CrossSiteScriptingValidation class.
 
Hardy,

It's not just "on=" that causes the problem. Mike Kozlowski posted regular
expressions for the problem patterns in the earlier thread. If you would
prefer to examine the code yourself, System.Web.CrossSiteScriptingValidation
is in System.Web.dll. It's visibility is set to internal, so you might need
to adjust your Reflector settings to see it.

HTH,
NIcole
 
Hardy Wang said:
Hi, I put following value in my query string, then I got this error
fx=hssGdNlaWq6f893_E3AcEHaT9spLQoTEudddVM3nUdMo6pjOvzqS6x9fRHvkZCYzg4Win6qxS
VaV*iMtZgcgaSsV8EhgU3UJD6RKCg0l6uk8ic8oNhuJKw==

I am wandering what is wrong with this value? I really cannot understand.
Click to expand...
You can turn off the validation, but you need to make sure your code can
handle malicious encoding. To turn it off
put validaterequest=false in the @page directive. You may want to
research it a bit first.
 
Back
Top