1

I'm using WEB API 2. Whenever somebody tries to insert the script into my API, I want to throw 404 or 400 error with a custom message, and not 500 error.

This is different from SO question - Getting "A potentially dangerous Request.Path value was detected from the client (&)" because I don't want to allow, but throw custom errors.

Basically, I want to just return if the script is detected, without executing any controllers, if possible.

Prashant Yadav
  • 531
  • 2
  • 9
  • 25

1 Answers1

1

Could you please provide some clarity on why you want to do this?

I would recommend that you look at the global.asax event Application_BeginRequest() and check the unvalidated properties in a custom method here. That will ensure you dont need to completely disable the validation and leave yourself vulnerable?

Martin Venter
  • 231
  • 2
  • 12
  • But as mentioned in this answer, I won't be able to do it https://stackoverflow.com/a/15578829/2390553 – Prashant Yadav Oct 31 '18 at 05:27
  • I want to do it this way, bcoz that's how its written in the user story. I tried to talk with my senior, but he is adamant on doing it this way only – Prashant Yadav Oct 31 '18 at 05:31
  • Yes but by hooking into this on the global.asax you would still be protected by the default behaviour (500) if your method doesn't throw a custom exception. I'm not advocating that you disable it, but rather adding your own method before the 500 is thrown by the application? This is the closest I can suggest to offer you the best of both worlds. – Martin Venter Oct 31 '18 at 05:31