1

I have been getting a few exceptions caught by my global exception handler (in Global.asax.cs). These originate in a page that allows an email to be sent from the website. This page includes 3 textboxes for user input, and I suspect the exceptions may be caused by malicious code being typed into the boxes. This is the error message:

    A potentially dangerous Request.Form value was detected from the client (ctl00$contentPageSpecificMain$textBoxBody=",
<a href="http://f1ga...").; stack=   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.contact_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously);

The contentPageSpecificMain is the name of a content placeholder in the Master page. The textBoxBody is the name of the textbox in which the user types the body of the email. The hyperlink following this seems to contain a random sequence of characters.

I have a couple of specific questions about this.

Firstly, I block less-than and greater-than symbols, so I don't see how malicious code could be entered into the form.

The URL in the hyperlink always ends with three dots; is this something the .NET exception system is doing or is this the URL that is somehow actually being entered into the form?

Has anyone seen anything like this? It is not causing damage because it is blocked by .NET, but it is disappointing that it is getting this far, because I have taken steps to protect the form from malicious input.

Kind wishes ~ Patrick

Patrick
  • 769
  • 6
  • 18
  • possible duplicate of [A potentially dangerous Request.Form value was detected from the client (textboxError=" – Andreas May 31 '14 at 14:26
  • so someone is trying to post links in your textboxes? ;p you should sanitize all those strings. especially the ; (semicolon) character in email to/from fields. – porkchop May 31 '14 at 14:35
  • `I block less-than and greater-than symbols` - if this is done in JavaScript then it is easy to override this behaviour on the client. If you are doing it in code well ASP.NET will parse the input before your code does and give you this error. – SilverlightFox Jun 01 '14 at 17:46

1 Answers1

1

If you want to handle the validation directly yourself, you can set the ValidateRequestMode on the TextBox control to Disabled. It can be done at design time or in code. This allows you to handle the input without it being trapped by the Asp.net handler first.

TextBox1.ValidateRequestMode = Disabled;

The advantage of this is that you can set the flag at whatever level is appropriate for your application and the inheritance will allow it to trickle down, without having to set if for the application or whole page.

Mythlandia
  • 576
  • 1
  • 5
  • 15
  • This property was added in .Net Framework 4.5 https://msdn.microsoft.com/en-us/library/system.web.ui.control.validaterequestmode.aspx – Emyr Nov 17 '16 at 14:12