1

I recently recieved an error email from a user trying to log in using a valid randomly generated password that appears to have some unicode.

A potentially dangerous Request.Form value was detected from the client (Password="zG&2&#8W")

How can I address this issue to allow the submission with out shutting off the validation and opening up the site to Injection attacks?

This is authenticating against an AD domain. While this system is available on the internet, access is restricted to domain users.

The Registration and change password options are handled by a system I do not have the ability to change so I can not prevent the & # or ; from being used passwords.

That this is a password field means I can not simply replace the offending characters prior to submit since it will not authenticate.

The user has changed their password so the immediate need has gone away but I still need to address this problem so it doesn't happen again in the future.

Chad
  • 1,512
  • 1
  • 16
  • 40
  • What exactly is generating that error? – Grantly Nov 20 '17 at 22:56
  • @Grantly - If you paste that password into an asp.net form with validation turned on and submit it will cause an error. – Chad Nov 20 '17 at 22:57
  • Is that web forms or MVC? – Frank Fajardo Nov 20 '17 at 23:08
  • @FrankFajardo - It actually happens in both MVC5 and Web Forms. The MVC5 is the solution I really need to figure out. I think I can justify not bothering to fix the webforms system we are about the replace with a new mvc app – Chad Nov 20 '17 at 23:13
  • Have you tried using `[AllowHtml]` on that model property? – Frank Fajardo Nov 20 '17 at 23:15
  • @FrankFajardo - Well that addresses the issue of throwing an error. I am concerned what sort of complications that could have. Its a password field that never gets displayed on screen, or written to a directory so hopefully none. – Chad Nov 20 '17 at 23:22
  • [From MSDN](https://msdn.microsoft.com/en-us/library/system.web.mvc.allowhtmlattribute(v=vs.118).aspx): "[It] allows a request to include HTML markup during model binding by skipping request validation for the property. (It is strongly recommended that your application explicitly check all models where you disable request validation in order to prevent script exploits.)" Note the statement in parentheses. So it is up to your server to validate the input (in this case, the user's password), before using it. – Frank Fajardo Nov 20 '17 at 23:30

0 Answers0