Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 100
  • Last Modified:

why do i keep getting "A potentially dangerous Request.Form value was detected from the client"

i have a web.config, which will show a SALM login page. It will successfully login. but after that i will get the above error.

Done:
added :  <pages validateRequest="false"
tested : requestValidationMode="2.0"
added on aspx page : <%@ Page Language="C#" validateRequest="false"

still the same error.

web.config re-directs to an aspx page:

 <wsFederation passiveRedirectEnabled="true" issuer="https://login.website.nl" realm="http://localhost/" requireHttps="false" reply="http://localhost/Test.aspx"/>

Open in new window


Test.aspx directly runs fine. It's just that after loggin in, i will get the above error.

Any my landing pages looks really basic:

<%@ Page Language="C#" validateRequest="false" AutoEventWireup="true"%>

    <title>SAML authentication landing page</title>
</head>
<body>
    <h1>SAML authentication landing page</h1>

</body>
</html>

Open in new window


I don't see any request form there.

Anyone can help?
0
A. Amien
Asked:
A. Amien
1 Solution
 
btanExec ConsultantCommented:
In fact, "<" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:" may be dangerous.

Also the single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.

You can't filter random input for dangerous characters, because any character may be dangerous if the request is ill intended . It is better to encode at the point where some specific characters may become dangerous because they cross into a different sub language where they have special meaning. Most refer it as input validation checks...

E.g.  When you write a string to HTML, you should encode characters that have special meaning in HTML, using Server.HtmlEncode.  When you are sure you HTML-encode everywhere you pass strings to HTML, then set validateRequest="false". Not sure for the various .NET version especially v4 like some has to also add <httpRuntime requestValidationMode="2.0" /> to web.config...

E.g. If you pass a string to a dyamic SQL statement, you should encode different characters (or have the framework handle this using prepared statements or equivalent).
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now