Manipulate Request before it is processed
-
martes, 06 de marzo de 2012 10:54
We want to manipulate HTTPRequest before it is processed. This is the schenario when user enters "<" or ">" characters. When user enters these characters, IIS is throwing "A potentially dangerous Request.Form value was detected from the client" error. We still want our user to enter these characters but internally want to encode it before it is processed.
Please suggest!
I need solution in .Net Framework 3.5.
Krunal Doshi
If you find this post helpful then please "Vote as Helpful" and "Mark As Answer".
Todas las respuestas
-
martes, 13 de marzo de 2012 10:28
We want to manipulate HTTPRequest before it is processed. This is the schenario when user enters "<" or ">" characters. When user enters these characters, IIS is throwing "A potentially dangerous Request.Form value was detected from the client" error. We still want our user to enter these characters but internally want to encode it before it is processed.
Please suggest!
I need solution in .Net Framework 3.5.
Krunal Doshi
If you find this post helpful then please "Vote as Helpful" and "Mark As Answer".
Does anyone has any idea?Krunal Doshi
If you find this post helpful then please "Vote as Helpful" and "Mark As Answer". -
martes, 20 de marzo de 2012 8:48
You can disable Request-Validation for only some pages like this:
<%@ Page validateRequest="false" %>
or for the complete application
<configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration>But don't forget to encode the values the right way. For example Server.HtmlEncode when you plan to insert the values in HTML or use prepared statements when trying to insert them in a SQL database.
-
miércoles, 21 de marzo de 2012 9:01
Hi,
I cannot disable Request validation for some pages. That is a biggest security threat. I want to catch only if user enters "<" or ">" characters and convert those characters using Server.HTMLEncode before the request is processed by IIS.
Krunal Doshi
If you find this post helpful then please "Vote as Helpful" and "Mark As Answer". -
jueves, 22 de marzo de 2012 14:17
I cannot disable Request validation for some pages. That is a biggest security threat.
It's only a security threat if you don't know what you are doing. With disabled Request validation it is you who is responsible for every damage that results from specific input data. If you don't process them the right way, then it is a problem!
The only thing you could do is that you encode it via client-side javascript before the data is sent to your server. Problem: if there's no javascript, then there's no encoding and no security. So, forget that.
You can't process the data before the IIS gets them server-side. OK, there is one way. You could program something like a proxy which listens on port 80, takes every request for the IIS, manipulates it and then delivers it to the IIS who is listening on another port than port 80. But that's like breaking a nut with a sledge hammer and the new program would surely be very vulnerable if you even don't think, that you're smart enough to handle your own request validation.
