A potentially dangerous Request.QueryString value was detected from the client

Question 1

A potentially dangerous Request.QueryString value was detected from the client

c# asp.net .net query-string custom-error-handling

gvd · Nov 15, 2013 · Viewed 17.5k times · Source

Answer

Answer

Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.

Please look into the post from Scot Hanselman

http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

Question 2

I'm using WebForm

I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:

'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

I got Server Error in '/' Application.

A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).

I have in the web.config

<httpRuntime  enableVersionHeader="false"/>
<customErrors mode="On"  defaultRedirect="~/Error/GeneralError.aspx">
  <error statusCode="404" redirect="~/Error/PageNotFound.aspx" />
  <error statusCode="403" redirect="~/Error/GeneralError.aspx" />    
  <error statusCode="500" redirect="~/Error/GeneralError.aspx" />      
</customErrors>

    ..................

<pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">

Any idea how can I correct that?

A potentially dangerous Request.QueryString value was detected from the client

Answer

Related questions