4

I'm found that request validation was not working on my PC, which meant it's behaving differently to our live web servers. After some experimentation it seems Glimpse is the cause (the version with Glimpse has not yet gone live, which is why the live servers were working normally).

e.g. this malicious URL:

http://website/?foo=<script>

...should cause the following error:

A potentially dangerous Request.QueryString value was detected from the client (foo="<script>").

However once Glimpse is registered in web.config "modules" section, the request validation doesn't happen (even when Glimpse is turned off), leaving the website open to cross site scripting attacks (XSS).

If I remove the line which registers Glimpse, then request validation immediately works normally: In in IIS 7.5 this is as follows:

<system.webServer>
    <modules>
        <add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
    </modules>

Is there a way I can fix this, or is this a bug in Glimpse?

Update 1:

I've now verified the problem happens if I do a fresh install of Glimpse into an unrelated project (running ASP.NET 4.5.1), so it is not an incompatibility with the original project. I did not change any settings, I simply installed it from NuGet and the problem was immediately apparent.

I've also noticed I turn glimpse off by setting <glimpse defaultRuntimePolicy="Off" /> in Web.config, then the request validation also then kicks in as normal.

NickG
  • 9,315
  • 16
  • 75
  • 115
  • This should not be the case. Can you provide information about what versions of Glimpse and ASP.NET you are using, plugins you have installed and reproduction steps? – nikmd23 Oct 03 '14 at 15:36
  • I installed Glimpse from NuGet this week, for an ASP.NET 4.0 web forms site. Then noticed request validation is broken. Removing the Glimpse module fixes it. Give me a few minutes - I will post more info. – NickG Oct 03 '14 at 15:46
  • I can confirm the problem is reproducible even if no other modules are registered. – NickG Oct 03 '14 at 16:02
  • It happens on other sites I install Glimpse into. I've updated the question with more info (Update 1). – NickG Oct 03 '14 at 16:28

1 Answers1

3

The way that request validation works in ASP.NET is that the input is validated and an exception thrown only for the first call to Request.RawUrl, Request.QueryString, and so on. Glimpse looks up the query string early on in the request (from RequestMetadata.get_RequestIsAjax) and swallows the exception, so future calls to Request.QueryString in the same request context will not be validated.

FWIW, the ASP.NET team has disowned request validation. See https://learn.microsoft.com/en-us/aspnet/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet-and-what-to-do-instead#validation for more information.

Bouke
  • 11,768
  • 7
  • 68
  • 102
Levi
  • 32,628
  • 3
  • 87
  • 88
  • Thanks - that seems like the likely cause. Perhaps I'll have to put in a second layer of protection then. I'm not sure it's really disowned as such though. It provides a good basic level of protection and is still a supported feature in 4.5. – NickG Oct 03 '14 at 18:00
  • Nope, it's disowned. The only reason it's on by default is for back-compat, *not* for security. Any request validation-related bugs given to us are immediately resolved as "won't fix". I go into this in a little more detail at http://stackoverflow.com/a/25748194/59641. – Levi Oct 03 '14 at 18:07
  • So basically there's no fix, other than to turn Glimpse off if request validation is perceived to be useful? – NickG Oct 06 '14 at 10:12
  • Thanks for the update Levi. I didn't realize request validation was disowned. In the past we've done some crazy stuff to avoid this side effect - which always bothered me. – nikmd23 Oct 06 '14 at 13:48