This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ASP.NET Request Validation"
From OWASP
(New page: ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. ==ASP...) |
|||
| Line 3: | Line 3: | ||
==ASP.NET 1.1 Request Validation Summary== | ==ASP.NET 1.1 Request Validation Summary== | ||
| − | + | *Filter "&#" | |
| − | + | *Filter ‘<’ then alphas or ! or / (tags) | |
| − | + | *Filter "script:" | |
| − | + | *Filter on handlers (onXXX=) | |
| − | + | *Filter “expression(“ | |
| − | + | *Ignore elements named "__VIEWSTATE" | |
==ASP.NET 2.0 Request Validation Summary== | ==ASP.NET 2.0 Request Validation Summary== | ||
| − | + | *Filter &# | |
| − | + | *Filter ‘<’ then alphas or ! or / (tags) | |
| − | + | *Ignore elements with names prefixed with double underscore (__) | |
| − | To | + | ===To toggle request validation (it is set to true by default):=== |
On a single page: | On a single page: | ||
| − | <%@ Page validateRequest="false" %> | + | <%@ Page validateRequest="true|false" %> |
For the entire application: | For the entire application: | ||
| Line 26: | Line 26: | ||
<configuration> | <configuration> | ||
<system.web> | <system.web> | ||
| − | <pages validateRequest="false" /> | + | <pages validateRequest="true|false" /> |
</system.web> | </system.web> | ||
</configuration> | </configuration> | ||
Revision as of 13:57, 29 April 2008
ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.
ASP.NET 1.1 Request Validation Summary
- Filter "&#"
- Filter ‘<’ then alphas or ! or / (tags)
- Filter "script:"
- Filter on handlers (onXXX=)
- Filter “expression(“
- Ignore elements named "__VIEWSTATE"
ASP.NET 2.0 Request Validation Summary
- Filter &#
- Filter ‘<’ then alphas or ! or / (tags)
*Ignore elements with names prefixed with double underscore (__)
To toggle request validation (it is set to true by default):
On a single page:
<%@ Page validateRequest="true|false" %>
For the entire application:
<configuration>
<system.web>
<pages validateRequest="true|false" />
</system.web>
</configuration>
References
Validation - Preventing Script Attacks
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)
