System.Web.HttpRequestValidationException SPAM Attack

Question

User-1382476339 posted

I have been receiving SPAM attacks lately on one of my Pages on my site. 

It seems to be robot. I have tried activating a ASP.NET Regular expression validator to prevent any HTML content from being postback but no result. I am still receiving the errors. 

Now the strange part, I have changed the name of the text area affected by the robot from ctl00$ContentPlaceHolder1$txtComments to ctl00$ContentPlaceHolder1$txtCommentBox, but i am still getting the error messages with the old text area name.

I have also set ValidationRequest="false" on the page in question. 

Did anyone get accross this issue before ?

 

Thanks for your time and answers
 

Here is the stack trace.

 

Timestamp: 6/11/2007 8:11:17 AM
Message: HandlingInstanceID: 72de6648-f9ee-48ff-a910-2ab90d86ab7d
An exception of type 'System.Web.HttpRequestValidationException' occurred and was caught.
-----------------------------------------------------------------------------------------
06/11/2007 01:11:17
Type : System.Web.HttpRequestValidationException, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a Message : A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$txtComments="<A href=http://kiuxm...").
Source : System.Web
Help link :
ErrorCode : -2147467259
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ValidateString(System.String, System.String, System.String)
Stack Trace :    at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.newreviewoverview_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\microsoft.net\Framework\v2.0.50727\Temporary ASP.NET Files\root\e5105d11\712565f8\App_Web_iw0bbmky.7.cs:line 0
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 

Answer 1

User-432158456 posted

I've been having the same problem - a ton of attempts to enter hyperlinks into the password textbox control of the login form for my user group's website.

 I am using the asp.net membership login control.

 My solution was to add more validation to the pw and user name text boxes using some regex.

First you need to convert the control to a template.Then you can add some regex validators to check the input on the text boxes.

 The regex I'm using to allow anything that does not contain "http" or "href" is the following:

^((?!href|http).)+$

Remember not only to tie this regex validator to the control you want to validate but also to the validation group for the login control. If you forget the latter, the page will still post back, the nasty value will still get processed and you will still get the error message.

 hth

Update: This only helped PART of the problem :-( , but it seems that the robot is not even coming to my site to perform this spam and they are just doing their own postbacks. So I gave up and am just filtering out these errors.

 Julie

Answer 2

User-1382476339 posted

Thanks for the reply Julie,
I have also tried up several things to prevent them for attacking:

1) setting EnableViewStateMac="false" ValidateRequest="false"
2) Placing a regular expression as you mention to prevent any HTML to be inserted in the textbox.
3) I had recently to change my machine encryption and decription keys. This had a really nice effect were i determined how they were processing.

These guys have created a viewstate with the current data and the submit it to the page each time. Here is how the stack trace goes from the one above now.

I don't exactly get how they are able to do that, but as you said they seem to be using their own postback.

Here is my Stack Trace:

Timestamp: 6/14/2007 4:24:46 AM
Message: HandlingInstanceID: 0c60fc22-5c1d-4dc6-bfa8-3cebd1fd3bf1
An exception of type 'System.Web.HttpException' occurred and was caught.
------------------------------------------------------------------------
06/13/2007 21:24:46
Type : System.Web.HttpException, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a Message : The state information is invalid for this page and might be corrupted.
Source : System.Web
Help link :
ErrorCode : -2147467259
Data : System.Collections.ListDictionaryInternal
TargetSite : Void ThrowError(System.Exception, System.String, System.String, Boolean)
Stack Trace :    at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError)
at System.Web.UI.HiddenFieldPageStatePersister.Load()

   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()

   at System.Web.UI.Page.LoadAllState()

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   at System.Web.UI.Page.ProcessRequest()

   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)

   at System.Web.UI.Page.ProcessRequest(HttpContext context)

   at ASP.newreviewoverview_aspx.ProcessRequest(HttpContext context) in c:\WINDOWS\microsoft.net\Framework\v2.0.50727\Temporary ASP.NET Files\root\e5105d11\712565f8\App_Web_rbisda2d.5.cs:line 0

   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

<o:p> </o:p>

Additional Info:

<o:p> </o:p>

MachineName : WEB129

TimeStamp : 6/14/2007 4:24:46 AM

FullName : Microsoft.Practices.EnterpriseLibrary.ExceptionHandling, Version=2.0.0.0, Culture=neutral, PublicKeyToken=null AppDomainName : /LM/w3svc/229364/root-1-128262662199621207

ThreadIdentity :

WindowsIdentity : WEB129\aspnet_229364

      Inner Exception

      ---------------

      Type : System.Web.UI.ViewStateException, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a

      Message : Invalid viewstate.

      Client IP: 58.105.237.146

      Port: 1240

      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

      ViewState: /wEPDwULLTE5NzkzOTYzMTUPZBYCZg9kFhYCAQ8PFgIeB1Zpc2libGVoZGQCAg8PFgIfAGhkZAIDDw8WBB4LTmF2aWdhdGVVcmwFD2VuLVBhcnRuZXIuYXNweB8AZ2RkAgUPDxYEHwEFJWh0dHA6Ly93d3cudmluaXZpLmNvbS9lbi1QYXJ0bmVyLmFzcHgeBFRleHQF

      Referer: http://www.vinivi.com/en-feedback.aspx

      Path: /en-Hotel-Punta_Cana-Dominican_Republic-r2335-Reviews-Hotel_Riu_Palace_Punta_Cana.aspx

      Source :

      Help link :

      RemoteAddress : 58.105.237.146

      RemotePort : 1240

      UserAgent : Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

      PersistedState : /wEPDwULLTE5NzkzOTYzMTUPZBYCZg9kFhYCAQ8PFgIeB1Zpc2libGVoZGQCAg8PFgIfAGhkZAIDDw8WBB4LTmF2aWdhdGVVcmwFD2VuLVBhcnRuZXIuYXNweB8AZ2RkAgUPDxYEHwEFJWh0dHA6Ly93d3cudmluaXZpLmNvbS9lbi1QYXJ0bmVyLmFzcHgeBFRleHQF

      Referer : http://www.vinivi.com/en-feedback.aspx

      Path : /en-Hotel-Punta_Cana-Dominican_Republic-r2335-Reviews-Hotel_Riu_Palace_Punta_Cana.aspx

      IsConnected : True

      Data : System.Collections.ListDictionaryInternal

      TargetSite :

      Stack Trace : The stack trace is unavailable.

            Inner Exception

            ---------------

            Type : System.ArgumentException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

            Message : The serialized data is invalid.

            Source : System.Web

            Help link :

            ParamName :

            Data : System.Collections.ListDictionaryInternal

            TargetSite : System.Object Deserialize(System.IO.Stream)

            Stack Trace :    at System.Web.UI.ObjectStateFormatter.Deserialize(Stream inputStream)

               at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)

               at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState)

               at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState)

               at System.Web.UI.HiddenFieldPageStatePersister.Load()

<o:p> </o:p>

                  Inner Exception

                  ---------------

                  Type : System.IO.EndOfStreamException, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

                  Message : Unable to read beyond the end of the stream.

                  Source : mscorlib

                  Help link :

                  Data : System.Collections.ListDictionaryInternal

                  TargetSite : Void EndOfFile()

                  Stack Trace :    at System.IO.__Error.EndOfFile()

                     at System.IO.BinaryReader.ReadByte()

                     at System.IO.BinaryReader.Read7BitEncodedInt()

                     at System.IO.BinaryReader.ReadString()

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader)

                     at System.Web.UI.ObjectStateFormatter.Deserialize(Stream inputStream)