Solved

why do i keep getting "A potentially dangerous Request.Form value was detected from the client"

Posted on 2014-11-04
2
54 Views
Last Modified: 2016-06-22
i have a web.config, which will show a SALM login page. It will successfully login. but after that i will get the above error.

Done:
added :  <pages validateRequest="false"
tested : requestValidationMode="2.0"
added on aspx page : <%@ Page Language="C#" validateRequest="false"

still the same error.

web.config re-directs to an aspx page:

 <wsFederation passiveRedirectEnabled="true" issuer="https://login.website.nl" realm="http://localhost/" requireHttps="false" reply="http://localhost/Test.aspx"/>

Open in new window


Test.aspx directly runs fine. It's just that after loggin in, i will get the above error.

Any my landing pages looks really basic:

<%@ Page Language="C#" validateRequest="false" AutoEventWireup="true"%>

    <title>SAML authentication landing page</title>
</head>
<body>
    <h1>SAML authentication landing page</h1>

</body>
</html>

Open in new window


I don't see any request form there.

Anyone can help?
0
Comment
Question by:A. Amien
2 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 40423758
In fact, "<" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:" may be dangerous.

Also the single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.

You can't filter random input for dangerous characters, because any character may be dangerous if the request is ill intended . It is better to encode at the point where some specific characters may become dangerous because they cross into a different sub language where they have special meaning. Most refer it as input validation checks...

E.g.  When you write a string to HTML, you should encode characters that have special meaning in HTML, using Server.HtmlEncode.  When you are sure you HTML-encode everywhere you pass strings to HTML, then set validateRequest="false". Not sure for the various .NET version especially v4 like some has to also add <httpRuntime requestValidationMode="2.0" /> to web.config...

E.g. If you pass a string to a dyamic SQL statement, you should encode different characters (or have the framework handle this using prepared statements or equivalent).
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
creating a flowchart from an algorithm 5 21
Hovering effect 9 29
Check if number is currency 15 29
Saveas need to save a copy 16 9
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now