"a potentially dangerous request.form value was detected"

Question

A user is receiving "a potentially dangerous request.form value was detected" error message when trying to log in. I set validateRequest="false" in the logon.aspx page as well as the following in the "location" of web.config:

<location path="~/Account/Logon.aspx">
    <system.web>
      <pages validateRequest="false" />
      <httpRuntime requestValidationMode="2.0" />
      <authorization>
        <allow users="?" />
      </authorization>
    </system.web>
  </location>

User still getting the error message. I askded what special characters he has in his password and he has "&", "#" and "(", none of which should generate this error (I have # and * in mine). Is there anything else I can try?

Almost all suggestions to fix this issue, including those at this site, recommend the use of "validaterequest=false" which does not seem to help.

I'm not sure you can set the `requestValidationMode` for just one location. This changes the whole pipeline for the entire app. — Matthew, Dec 15 '15 at 12:53
user id and password are passed to LDAP for authentication. "drop table users" would most probably fail authentication. — NoBullMan, Dec 15 '15 at 13:28
I will move the requestValidationMode out of "location" and see if that helps. — NoBullMan, Dec 15 '15 at 13:29

Vadim Martynov · Answer 1 · 2015-12-16T15:35:20.003

1

Two parts of solution. At first add to your controller method ValidateInputAttribute:

[ValidateInput(false)]

The second part is more difficult. You should validate value manually in your code. Ensure that there is no SQL injections in user input.

UPDATE For ASP.NET Web Forms use ValidateRequest tag to your page like in this example:

<%@ Page language="c#" Codebehind="LoginForm.aspx.cs" 
ValidateRequest="false" AutoEventWireup="false" 
Inherits="Junk.WebForm1" %>

edited Dec 16 '15 at 15:35

answered Dec 15 '15 at 12:49

Vadim Martynov

8,602
5
31
43

Thank you Vadim, but this is not an MVC app. – NoBullMan Dec 16 '15 at 13:18
@NoBullMan huh ok. Did you try to add validateRequest="false" tag in your aspx-page? – Vadim Martynov Dec 16 '15 at 15:34
Yes I did. Actually the user just informed me that when he changed his password that included "&" and "#" by changing the order from "" to "#&", he was able to log in with no errors. So, there is something about "" that generates this error even though I have specified "validateRequest=false". – NoBullMan Dec 16 '15 at 15:45
@NoBullMan do you have code like next one? var password = Request.Form["password"]; Try to change it to var password = Request.Unvalidated("password"); – Vadim Martynov Dec 16 '15 at 15:56
I don't see Request.Unvalidate() (is not listed in Intellisense). – NoBullMan Dec 17 '15 at 12:40
Property https://msdn.microsoft.com/en-us/library/system.web.httprequest.unvalidated(v=vs.110).aspx Iterator https://msdn.microsoft.com/en-us/library/system.web.unvalidatedrequestvalues.item(v=vs.110).aspx Extension method https://msdn.microsoft.com/en-us/library/gg548128(v=vs.111).aspx If it'll help you I'm updating answer text. And please add correct asp.net tag (forms, mvc or pages) to the question. – Vadim Martynov Dec 17 '15 at 13:02

"a potentially dangerous request.form value was detected"

1 Answers1