ASP.NET Request Validation

From OWASP
Revision as of 03:57, 10 July 2014 by Bill Sempf (talk | contribs)

Jump to: navigation, search
This Page (may) contain some old Content. Please help OWASP to FixME.

ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.

ASP.NET 1.1 Request Validation Summary

  • Filter "&#"
  • Filter ‘<’ then alphas or ! or / (tags)
  • Filter "script:"
  • Filter on handlers (onXXX=)
  • Filter “expression(“
  • Ignore elements named "__VIEWSTATE"


ASP.NET 2.0 Request Validation Summary

  • Filter "&#"
  • Filter ‘<’ then alphas or ! or / or ? (tags)
  • Ignore elements with names prefixed with double underscore (__)


ValidateRequest Setting

To toggle request validation (it is set to true by default):

On a single page: 

 <%@ Page validateRequest="true|false" %>

For the entire application: 

 <configuration>
    <system.web>
         <pages validateRequest="true|false" />
    </system.web>
 </configuration>

References

ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)

ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting

Retrieved from "https://wiki.owasp.org/index.php?title=ASP.NET_Request_Validation&oldid=178474"