Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to check if string will fire “A potentially dangerous Request.Form value was detected…” error

Similar to this question but I don't care so much about what characters will/won't cause the error to fire. I'm more curious as to what method I can call, to check for myself, if the current string will fire the above error message.

To give a bit of background, I'm creating random passwords when a user forgets theirs and needs a reset. Unfortunately, the random password generator "accidentally" created one with &# in it recently. This caused the page to break when the user tried to login with it.

As mentioned in plenty of posts around this topic, ValidateRequest=false (or <httpRuntime requestValidationMode="2.0" /> for .NET 4.0) can be used to turn off .NET checking for these exploits, but I don't see any reason to lose this extra layer of security when I'm the one creating the string in the first place. And simply telling the random generator to re-randomize on an incomplete list (<, &#, etc) doesn't seem like the cleanest solution so I'd like to use the same method of checking that .NET is using.

Microsoft's explanation of what exploits are in question and what is being done to guard against them here.

This guy talks about finding a function called IsDangerousString after digging in with Reflector, but I'm not able to find this function to use it. Also he's referring to .NET 1.1 and I'm working with .NET 3.5

like image 711
Mercurybullet Avatar asked Jul 06 '12 22:07

Mercurybullet


People also ask

How do you solve a potentially dangerous request form value was detected from the client?

We can resolve your reported problem (A potentially dangerous Request. Form value was detected from the client) in ASP.NET Application. To resolve your problem, we need add the validateRequest as false in pages tag and add requestValidationMode as 2.0 in Web. config file.

What is unsafe HTML string detected request?

This error description means some one entered HTML markup or script which can be dangerous to the server. In above case1 image you see I had not entered any standard HTML tag but while submitting this form to the server , and this will throw an error.


1 Answers

The ASP.NET class that validates requests is System.Web.CrossSiteScriptingValidation, and the method you want is IsDangerousString. Unfortunately, both are marked internal, so you can't access them directly. You have several options:

Option 1: Call IsDangerousString via Reflection. However, Microsoft could change the method at any time, which would break your applicaton.

Option 2: Decompile IsDangerousString and copy it to your own application. See the code below.

Option 3: Call Membership.GeneratePassword. This returns a password that is guaranteed to pass request validation.

Excerpts from the ASP.NET CrossSiteScriptingValidation class (via .NET Reflector):

private static char[] startingChars = new char[] { '<', '&' };

internal static bool IsDangerousString(string s, out int matchIndex)
{
    matchIndex = 0;
    int startIndex = 0;
    while (true)
    {
        int num2 = s.IndexOfAny(startingChars, startIndex);
        if (num2 < 0)
        {
            return false;
        }
        if (num2 == (s.Length - 1))
        {
            return false;
        }
        matchIndex = num2;
        char ch = s[num2];
        if (ch != '&')
        {
            if ((ch == '<') && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] == '!')) || ((s[num2 + 1] == '/') || (s[num2 + 1] == '?'))))
            {
                return true;
            }
        }
        else if (s[num2 + 1] == '#')
        {
            return true;
        }
        startIndex = num2 + 1;
    }
}

private static bool IsAtoZ(char c)
{
    return (((c >= 'a') && (c <= 'z')) || ((c >= 'A') && (c <= 'Z')));
}
like image 157
Michael Liu Avatar answered Oct 11 '22 06:10

Michael Liu