A potentially dangerous Request.Path value was detected from the client (?)

Question

Environment:

IIS 8.5

.NET Framework Version: 4.6.2 (using WebForms)

Windows Server 2012 R2

Problem:

The following exception is being reported:

BASE EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

BASE EXCEPTION HRESUT: -2147467259

EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Other information shown in our logs:

PATH_INFO
/cities/index.aspx?locid=4163
----
QUERY_STRING
----
REMOTE_ADDR
66.249.65.204
----
REMOTE_HOST
66.249.65.204
----
REQUEST_METHOD
GET
----
SCRIPT_NAME
/cities/index.aspx?locid=4163
----
URL
/cities/index.aspx?locid=4163
----
HTTP_FROM
googlebot(at)googlebot.com
----
HTTP_USER_AGENT
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

What I do not understand is if I cut and paste the path in my browser, the page is rendered just fine and without error.

Questions:

1. Why does googlebot, when crawling the page produce this error, yet no error is generated when I enter the path in a browser? (I do find it odd that the error log shows no value for the query string, even though it is present).
2. Why is the "?" character considered potentially dangerous?

Any advice would be appreciated as I am trying to understand how this particular "error" is being raised when the path is in fact valid.

Thanks in advance.

Answer 1

From Asp.net 4.0+ introduced a strict validation, so what ever error you are seeing might be the part of it . there are certain dangerouss characters in the url which might cause XSS attack . so ? is one among them. remaining characters are as follows:

< > * % & : \ ?

Probably there might be two solutions

1. you can allow these characters in your URL , or atleast certain character ,by configuring the following configuration in web config as follows

   <system.web> <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\,?" /> </system.web>

2. You can roll back to asp.net 2.0 , with the following configuration

   <system.web> <httpRuntime requestValidationMode="2.0" /> </system.web>

Answer 2

It dawned on me why the querystring was not showing anything in our logs. Requests that encode the "?" (%3f) will cause the exception described above to be raised, for example:

/cities/index.aspx%3flocid=4163

The encoded %3f is interpreted as part of the path, hence the exception of "A potentially dangerous Request.Path value was detected from the client (?)".

When I entered the URL shown above in a browser -- the exception is raised and the log does not contain a querystring. So I can only assume everything is functioning as it should and that the requester is encoding the ? when they should not be; basically wrecking the querystring portion of the URL.

We also have requestValidationMode="2.0" in system.web, but DO NOT make use of the requestPathInvalidCharacters (httpRuntime) setting.