Hidden Input Field causes potentially dangerous Request.Form value error

Posted on 2008-11-07
Last Modified: 2012-05-05
In my ASP.NET 1.1 application, I am compressing and replacing the hidden Viewstate variable with an alternate compressed value, stored in a hidden field called __VSTATE. This works well but on a few occasions, submitting a page causes the common "potentially dangerous Request.Form value ..." error.

I examined the __VSTATE value and nothing seems to be potentially dangerous. I was able to reproduce the error with a completely stripped down version of the page as shown in the code snippet. Pressing the submit button causes the error. The page works fine if I change the value to "".

Can someone explain why this is happening and suggest a solution? I do not want to remove page validation. During my testing, I tried using HTMLEncode but that doesn't change the test value in the snippet and still generates an error.
<%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" %>

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">


  <body MS_POSITIONING="FlowLayout">

    <form id="Form1" method="post" runat="server">

      <input type="hidden" id="__VSTATE" runat="server" value="Onw=" />

      <asp:Button ID="btnSubmit" Runat="server" Text="Submit" />




Open in new window

Question by:ZekeLA
    LVL 5

    Expert Comment

    Add ValidateRequest="false" in the page directive like
     <%@ Page Theme="SkyHigh" Language="C#" AutoEventWireup="true" CodeBehind="Test.aspx.cs" Inherits="Log.Test" ValidateRequest="false"  %>

    Open in new window

    LVL 5

    Expert Comment

    <%@ Page Language="vb" AutoEventWireup="false" Codebehind="Dangerous.aspx.vb" Inherits="Dynalabs.Dangerous" ValidateRequest="false" %>
    LVL 1

    Author Comment

    I appreciate the responses but that doesn't really address the problem for two reasons:

    1) Removing the request validation means users could enter truly dangerous requests (such as scripts and tags) which I would have to trap throughout the entire application and hope I did as good a job as .NET has already has built in.

    2) This isn't a case where I want to allow the user to enter formatted text and I need to allow html tags. My input value is just "Onw=" which has no dangerous values as far as I can determine. From my viewpoint, this shouldn't be any worse than if the value was "abcd".

    My only thought at the moment is that .NET is concerned about the variable itself somehow because I named it with a double underscore or because I duplicated some internal name. I'll try to test that but I'm still looking for a solution.

    Thank you.
    LVL 1

    Author Comment

    Changing the field's name makes no difference. I tried id="MyHiddenWT" and still got the error. Removing the runat="server" does prevent the error but that just means that .NET only examines server side controls.

    I also tried some additional values and found that of the following:
       "Anw=", "Bnw=", "Cnw=", ... "Nnw=", "Onw=", "Pnw=", ... "Znw=",
    "Onw=" is the only one that causes the problem. Is the captial O being seen as an octal value somehow?
    LVL 1

    Accepted Solution

    Per another site, the reason is cross site scripting:

    It's being evaluated as a potential "onSomeEvent = doSomething()" script. Per Mike Kozlowski (, for easy reference for some future person looking at this thread because they're having the same problem, the XSS validator blocks any string matching (in effect) the following regexes:


    The last two are impossible with Base64 encoding (which only allows letters, digits, +, /, and =), the first two are impossible if you just do UrlEncode twice in a row (to prevent equal signs from occuring), and the third is vanishingly unlikely in random characters, but if you're concerned about it, you can just replace all "x" characters with "," after the Base64 encoding.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Suggested Solutions

    It seems a simple enough task, yet I see repeated questions asking how to do it: how to pass data between two forms. In this article, I will show you the different mechanisms available for you to do just that. This article is directed towards the .N…
    The object model of .Net can be overwhelming at times – so overwhelming that quite trivial tasks often take hours of research. In this case, the task at hand was to populate the datagrid from SQL Server database in Visual Studio 2008 Windows applica…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now