Here is my Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
<html>
<head runat="server">
<title>xss demonstration</title>
</head>
<body>
<form id="form1" runat="server">
<div>
We are looking for your feedback.
<asp:TextBox ID="txtFeedback" runat="server" TextMode="MultiLine" />
<br />
<asp:Button ID="submit" runat="server" Text="Submit" onclick="submit_Click" />
<br />
Comment:
<br />
<asp:Literal ID="ltlFeedback" runat="server" />
</div>
</form>
</body>
</html>
And below is Default.aspx.cs
public partial class _Default : System.Web.UI.Page
{
protected void submit_Click(object sender, EventArgs e)
{
this.ltlFeedback.Text = this.txtFeedback.Text;
}
}
When I run the application and enter following in the text box.
<script>alert('Hello')</script>
I get following error.
A potentially dangerous Request.Form value was detected from the client (txtFeedback="alert('Hello...").
My question is why I get this error even though ValidateRequest is set to false in the page?
In .net framework 4.0 you have to set <httpRuntime requestValidationMode="2.0"/>
markup in web.config.
<system.web>
<compilation debug="false" targetFramework="4.0" />
<httpRuntime requestValidationMode="2.0"/>
</system.web>
Have a look at reference article - ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With