A potentially dangerous Request.QueryString value was detected from the client

Question

I'm using WebForm

I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:

'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

I got Server Error in '/' Application.

A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).

I have in the web.config

<httpRuntime  enableVersionHeader="false"/>
<customErrors mode="On"  defaultRedirect="~/Error/GeneralError.aspx">
  <error statusCode="404" redirect="~/Error/PageNotFound.aspx" />
  <error statusCode="403" redirect="~/Error/GeneralError.aspx" />    
  <error statusCode="500" redirect="~/Error/GeneralError.aspx" />      
</customErrors>

    ..................

<pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">

Any idea how can I correct that?

That's a correct response from the server. However, you can disable request validation. Your answer is here: http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 Do read the MSDN page linked in that answer. — sakura-bloom, Nov 15 '13 at 20:29
I follow the answer suggest but I continuing presenting the previous error and one aditional... Server Error in '/' Application. Runtime Error Description: An exception occurred while processing your request. Additionally, another exception occurred while executing the custom error page for the first exception. The request has been terminated. — gvd, Nov 15 '13 at 20:59
http://stackoverflow.com/questions/3885697/a-potentially-dangerous-request-querystring-value-was-detected-from-the-client-w — Sten Petrov, Apr 21 '15 at 19:58

codingpirate · Answer 1 · 2013-11-15T21:03:01.217

1

Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.

Please look into the post from Scot Hanselman

http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

edited Nov 15 '13 at 21:03

answered Nov 15 '13 at 20:53

codingpirate

1,414
1
12
20

The link does not go anywhere, friend. "Error 404 page not found". – Malcolm Salvador Nov 15 '13 at 21:01
@Malky Corrected the link.. – codingpirate Nov 15 '13 at 21:03
1

Thats not work for ASP.NET WebForm.... – gvd Nov 18 '13 at 13:37

A potentially dangerous Request.QueryString value was detected from the client

1 Answers1

Linked