Request.Unvalidated("") doesn't work as advertised

Question

User783240086 posted

I have this in my web.config:

<httpRuntime targetFramework="4.5.1" requestValidationMode="4.5" />

I am navigating to this page: http://site/page.aspx?Text=<tag>bla,bla</tag>

I would like to prevent validation on this query parameter so from code behind I get the value like this:

Dim s as String = Request.Unvalidated.QueryString("Test")

Acording to the documentation I should not be getting this error:

A potentially dangerous Request.RawUrl value was detected from the client (="...Text=<tag>bla,bla</tag>").

I am running in classic mode not integrated if that makes a difference.

I get this error even when using  ValidateRequest="false" page directive although I would rather be more selective.

Answer 1

User-1408041064 posted

ASP.NET 4 having breaking change with ValidateRequest. Refer http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 for why ValidateRequest="false" don't work.

Note that there is a way to turn the validation back to 2.0 for one page, as show in above post.

Regards

 

Answer 2

User783240086 posted

Yes I know about turning back validation to 2.0 trick and I have been using this for the past year, however I want to stop using this hack since I want to take advantage of the features of .NET 4.5 and 4.5.1. and want to prevent validation on only certain elements of a page not all. This problem was supposed to be solved with the Request.Unvalidated() fix MS provided in .NET 4.5.1. Even the thread you linked to shows this as a solution by Szymon Sasin. And also this link also states it should work: http://go.microsoft.com/fwlink/?LinkId=235367

Again, my question is why does Request.Unvalidated throw a validation error when it was specifically designed to bypass validation. 

Answer 3

User1734617369 posted

Hi,

The Request.Unvalidated will not throw a validation error if you use it to get the values from the query string, this will however not prevent the querystring to be validated at a later stage in the page life cycle when the page is requested, it is just a way to get access to the values without causing it to be validated at that time.

If you would like to customize the validation you can find info here: http://go.microsoft.com/fwlink/p/?LinkID=243046

Best regards
Johan

Answer 4

User783240086 posted

You have made the same point I made. Yes Request.Unvalidated SHOULD NOT throw a validation error as described in the documentation but for me it does. I get the error described in my original post: "A potentially dangerous Request.RawUrl ..." when using it. 

My question was why do I get the error when I shouldn't. 

Answer 5

User-933407369 posted

hi,

"A potentially dangerous Request.Form value was detected from the client".

This was because .NET detected something in the entered text which looked like an HTML statement.  Then I got a link Request Validation, that is a feature put in place  to protect your application cross site scripting attack and followed accordingly.

i would suggest you refer to the link below for details :

ASP.NET 4.0 potentially dangerous Request.Form value was detected

http://www.codeproject.com/Tips/297679/A-potentially-dangerous-Request-Form-value-was-det

Hacking Intel - XSS Security exploit with ASP.Net using .RewritePath and Request.RawUrl bypassing ASP.Net native script protection

http://software.intel.com/en-us/blogs/2007/09/20/hacking-intel-xss-security-exploit-with-aspnet-using-rewritepath-and-requestrawurl-bypassing-aspnet-native-script-protection//

Hope it can help you.

Answer 6

User783240086 posted

I am intimately aware of XXS dangers and the changes MS made in page validation with v4.0. I am also aware that you can go back to the validation behavior of v2.0 with that web.config tag. Again this was not my question. Please read my original post. To iterate: With the release of .NET 4.5 Microsoft has realized that some of us may want to perform our own selective page validation. According to their own documentation here: http://go.microsoft.com/fwlink/?LinkId=235367 you should be able to bypass their validation with a new feature called lazy or deferred request validation. You enable this feature if you include this in your web.config:

<httpRuntime requestValidationMode="4.5" ... />

The documentation also states that with 4.5 they now support unvalidated requests. This means that if you use requestValidationMode="4.5" (lazy validation) in conjuction with accessing the requested data like this:

var s = context.Request.Unvalidated.Form["forum_post"];

You should be able to bypass the validation ASP.NET provides on a field by filed basis.

Now I did all this. Modified my web.config as the documentation stated and only used Request.Unvalidated to access the posted data. Yet still I get the exception specified in my original post. The question is why?

Answer 7

User1734617369 posted

Hi,

You will get the Exception even if you access the value using the Unvalidated property, just not exactly when you access that value but later in the page lifecycle when the request is validated using the standard validation process in Asp.Net. To avoid this you will need to create your own validation plugin that bypasses this standard feature.

/Johan

Answer 8

User783240086 posted

That's not what the documentations states. Read here: http://go.microsoft.com/fwlink/?LinkId=235367

Exerpts from .NET 4.5.1 changes:

"Developers have frequently asked for the ability to selectively turn off request validation for their applications. ....."

"ASP.NET 4.5 introduces two features that make it easy for you to selectively work with unvalidated input: deferred ("lazy") request validation and access to unvalidated request data."

"The new behavior makes it easier for different application components to look at different pieces of request data without triggering request validation on other pieces."

"However, you might want to access this field without triggering validation because you want to allow markup in that field."

"To allow this, ASP.NET 4.5 now supports unvalidated access to request data."

"You can then use the HttpRequest.Unvalidated property to read the unvalidated form value.."

The article goes on stating that because the validation is bypassed, with this new technique, and no exceptions are raised, you should validate it yourself. Exerpt:

"Security warning: ASP.NET 4.5 added the unvalidated request properties and collections to make it easier for you to access very specific unvalidated request data. However, you must still perform custom validation on the raw request data to ensure that dangerous text is not rendered to users."

So why would they put this warning that you as the developer are now responsible for validation your own request if as you say the exception is raised anyway? If it is my responsibility to validate, why does it nag me with the exception? My responsability to me means I get to choose what goes through and I get to raise my own exceptions if I want to -- not the other way around.

Answer 9

User1734617369 posted

I don't argue with what you say, but the fact is that the validation will still occurr since the Request values are parsed by the Page and that will trigger the Exception later in the life cycle. Should exist an easier way to handle that without writing your own handlers but as far as I know it doesn't.

/Johan

Answer 10

User783240086 posted

Ok, so if I understand correctly there are two places where validation occurs. One before the page is loaded for the benefit of MVC and then again at the page level for web forms. The Request.Unvalidated() bypasses the early validation but does not bypass the one that occurs at the page level. 

What still has me confused is why then does the page directive <%@ Page ValidateRequest="false" which is specifically for web forms does not disable the second validation?

Answer 11

User-227760790 posted

Look at this links:

• Request Validation in ASP.NET
• Understanding Request Validation in ASP.NET MVC 3
• ASP.NET MVC Tip #48 – Disable Request Validation

They will help you to understand, how does it works.

please check out the link below:

How to use Request.Unvalidated with ASP.NET

Answer 12

User783240086 posted

Yea, unfortunatelly I read all these before and none explain my questions above. It makes no sense why bypassing validation at both levels (1) the begin request level with Request.Unvalidated() and (2) at the page level with the <%@ Page ValidateRequest="false" directive still causes ASP.net to throw an exception. How many other ways do we need to tell ASP.NET to leave us alone because we want to take over validation in selective scenarios. Yes I know we can go back to 2.0 validation but that's a hack. I like the default 4.5 validation for 99% of my site and just want to disable it for a selective set of fields of a few pages. This should not be as difficult as creating my own validation class and litering my web.config with page exceptions.

Answer 13

User1104055534 posted

Hi Dude,

Acording to the documentation I should not be getting this error:

Could you please tell me which documentaion? Thank you.

Answer 14

User783240086 posted

This documentation: http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097379

Answer 15

User1692409842 posted

I agree 100%. In my case I do have 2.0 validation on, and want to leave page validation on but just allow ONE form value to contain html-like tags. Request.Unvalidated.Form["blah"] seems completely pointless for Web Pages sites. If your page only works AT ALL with validation completely OFF, then EVERYTHING is unvalidated so... I don't get it. I'd rather have a Request.Validated.Form["blah"] so I can just turn validation ON everywhere I need validated form values and the default Request.Form[] would be unvalidated.

So now I need to manually validate all my input on that page? Seems kinda odd when all that functionality is built into .net that I have to figure out how to do manual validation myself, hm. Wish I could just call the internal html validation routines on a field by field basis.

Answer 16

User-1808204847 posted

You also need to add ValidateRequestMode="Disabled" to the control. See this question on StackOverflow: https://stackoverflow.com/questions/23633699/control-level-validaterequestmode-has-no-effect