Preventing "A potentially dangerous Request.Path" in web api

Question

I have this controller.

    public string Status([FromBody]StatusRequest p)
    {
        string ps= HttpContext.Current.Request["params"];
        return ps;
    }

It receives this post parameter value (The value is xml. Beneath is just part of it):

params=<Transaction hash=9

I get this infamous error:

A potentially dangerous Request.Form value was detected from the client

I tried a few solutions. I tried to bind the post parameter. But there is no luck, it wont bind it so the value of 'p' is always null.

I tried setting web.config in the directory where my controller is:

    <?xml version="1.0"?>
<configuration>
  <system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime targetFramework="4.5" requestPathInvalidCharacters="?" />
    <pages validateRequest="false" />
  </system.web>
</configuration>

Those configurations have no effect on the files inside the directory.

Does anyone knows how to solve this?

Have you looked here: https://stackoverflow.com/questions/81991/a-potentially-dangerous-request-form-value-was-detected-from-the-client — Frederick Grumieaux, Feb 13 '18 at 17:47
I did, and it is an mvc thread and not web api. I tried those solutions and they didnt work. — dan mann, Feb 13 '18 at 17:51
only give requestPathInvalidCharacters="" and it should work.do not put any special characters in it.its working for me — Janmejay Kumar, Feb 14 '19 at 03:32

Igor V Savchenko · Answer 1 · 2019-02-14T03:21:13.017

This is really nasty exception because it reveals Server header even if you hide it so big bad guy can use that info against you.

I've found two solutions which help me. Let me explain both by using asterisk as example of dangerous symbol (but you can handle any single symbol or set of symbols in this way)

1st way is really ugly and I can't recommend it to anyone. But here it is:

Add to Global.asax.cs code

protected void Application_Error(object sender, EventArgs e)
{
    if(Context.Request.RawUrl.Contains("*"))
    {
        Server.ClearError();
    }
}

protected void Application_BeginRequest(object sender, EventArgs e)
{
    if(!Context.Request.RawUrl.Contains("*"))
    {
        return;
    }

    var newPath = Context.Request.RawUrl.Replace("*", "");
    base.Context.RewritePath(newPath);
}

That's it. For any url with asterisk you'll omit this annoying exception and just replace dangerous symbol with anything you want.

2nd way is slightly trickier, but as for me, much better. Just keep in mind, that you can't use it if you don't have possibilities to install URL Rewrite module for IIS. Check next article for the details. Article is a little bit dated, if you use IIS 10 as I do, you need to get URL Rewrite module here.

So first of all you have to install this module. After that add this section to your web config file in system.webServer section:

 <rewrite>
      <rules>
        <rule name="Rewrite URL to remove asterisk from path.">
          <match url="^(.*)\*(.*)$" />
          <conditions logicalGrouping="MatchAny" />
          <action type="Rewrite"
                  url="{R:1}{R:2}" />
        </rule>
      </rules>
    </rewrite>

That's all. Now almost any malformed url with asterisk will work without this annoying error.

Why almost? Because you'll still get exception if dangerous symbol presents in the name of, for example, IIS virtual directory.

So both ways handle errors like http://localhost/WebApplication1/api*/Values

And both ways fails with url like this http://localhost/WebApplication1*/api/Values

score 0 · Answer 2 · answered Oct 18 '19 at 07:22

0

Just remove asterisk from requestPathInvalidCharacters under Web.config

...
<system.web>
        <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\,?" />
...

answered Oct 18 '19 at 07:22

PetrF

1

Preventing "A potentially dangerous Request.Path" in web api

2 Answers2