A potentially dangerous Request.Path value was detected from the client (?)

Question

Environment:

IIS 8.5

.NET Framework Version: 4.6.2 (using WebForms)

Windows Server 2012 R2

Problem:

The following exception is being reported:

BASE EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

BASE EXCEPTION HRESUT: -2147467259

EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

Other information shown in our logs:

PATH_INFO
/cities/index.aspx?locid=4163
----
QUERY_STRING
----
REMOTE_ADDR
66.249.65.204
----
REMOTE_HOST
66.249.65.204
----
REQUEST_METHOD
GET
----
SCRIPT_NAME
/cities/index.aspx?locid=4163
----
URL
/cities/index.aspx?locid=4163
----
HTTP_FROM
googlebot(at)googlebot.com
----
HTTP_USER_AGENT
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

What I do not understand is if I cut and paste the path in my browser, the page is rendered just fine and without error.

Questions:

1. Why does googlebot, when crawling the page produce this error, yet no error is generated when I enter the path in a browser? (I do find it odd that the error log shows no value for the query string, even though it is present).
2. Why is the "?" character considered potentially dangerous?

Any advice would be appreciated as I am trying to understand how this particular "error" is being raised when the path is in fact valid.

Thanks in advance.

Answer 1

From Asp.net 4.0+ introduced a strict validation, so what ever error you are seeing might be the part of it . there are certain dangerouss characters in the url which might cause XSS attack . so ? is one among them. remaining characters are as follows:

< > * % & : \ ?

Probably there might be two solutions

1. you can allow these characters in your URL , or atleast certain character ,by configuring the following configuration in web config as follows

   <system.web> <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,&amp;,:,\,?" /> </system.web>

2. You can roll back to asp.net 2.0 , with the following configuration

   <system.web> <httpRuntime requestValidationMode="2.0" /> </system.web>

Answer 2

It dawned on me why the querystring was not showing anything in our logs. Requests that encode the "?" (%3f) will cause the exception described above to be raised, for example:

/cities/index.aspx%3flocid=4163

The encoded %3f is interpreted as part of the path, hence the exception of "A potentially dangerous Request.Path value was detected from the client (?)".

When I entered the URL shown above in a browser -- the exception is raised and the log does not contain a querystring. So I can only assume everything is functioning as it should and that the requester is encoding the ? when they should not be; basically wrecking the querystring portion of the URL.

We also have requestValidationMode="2.0" in system.web, but DO NOT make use of the requestPathInvalidCharacters (httpRuntime) setting.

Answer 3

The same happens if you (or a pentester) access URL's ala https://domain.tld/<foobar and https://domain.tld/</.

Even with custom error pages enabled, this will return an error page rendered by IIS, and if you are logging errors in Application_Error you might find your logs full of noise from scanners/bots/etc.

I found that a rather simple workaround for this is to handle HttpException exceptions in Application_Error in Global.asax.cs. This way you don't need to tweak with requestValidationMode.

1. Create the following pages in the root of your application:

   • 400.html - for IIS
   • 400.aspx - for ASP.NET
   • 404.html - for IIS
   • 404.aspx - for ASP.NET
   • 500.html - for IIS
   • 500.aspx - for ASP.NET

     The .html files have content ala this:

     <!DOCTYPE html>
     <html lang="en">
     <head>
         <meta charset="utf-8" />
         <title>400 Bad request</title>
     </head>
     <body>
         <h1>400 Bad request</h1>
     </body>
     </html>
     

     The .aspx files have content ala this:

     <%@ Page Language="C#" %>
     <%
         Response.StatusCode = 400;
         Server.Transfer("~/400.html");
     %>
     

     Ensure that you set the appropriate response status code within the .aspx files.

2. Configure ASP.NET's custom errors as below:

   <customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/500.aspx">
     <error statusCode="400" redirect="~/400.aspx"/>
     <error statusCode="404" redirect="~/404.aspx"/>
     <error statusCode="500" redirect="~/500.aspx"/>
   </customErrors>
   

3. Configure IIS's custom errors as below:

   <httpErrors errorMode="DetailedLocalOnly">
    <remove statusCode="400"/>
    <error statusCode="400" path="400.html" responseMode="File"/>
    <remove statusCode="404"/>
    <error statusCode="404" path="404.html" responseMode="File"/>
    <remove statusCode="500"/>
    <error statusCode="500" path="500.html" responseMode="File"/>
   </httpErrors>
   

4. Adjust Global.asax.cs accordingly:

   protected void Application_Error(object sender, EventArgs e)
   {
       var lastError = Server.GetLastError();
       Server.ClearError();
   
       if (lastError.GetType() == typeof(HttpException))
       {
           Response.StatusCode = 400;
           Server.Transfer("400.html");
       }
       else
       {
           Response.StatusCode = 500;
           Server.Transfer("500.html");
   
           // logging
       }
   }
   

See http://benfoster.io/blog/aspnet-mvc-custom-error-pages for the full story on how to setup custom error pages and https://msdn.microsoft.com/en-us/library/bb397417.aspx for more on error handlers.