This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "ASP.NET Request Validation"
From OWASP
m (<? is also considered as a dangerous tag in ASP.NET 2.0) |
Bill Sempf (talk | contribs) |
||
| Line 1: | Line 1: | ||
| + | {{taggedDocument | ||
| + | | type=partialOld | ||
| + | }} | ||
| + | |||
ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. | ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. | ||
Revision as of 03:57, 10 July 2014
This Page (may) contain some old Content. Please help OWASP to FixME.
ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.
ASP.NET 1.1 Request Validation Summary
- Filter "&#"
- Filter ‘<’ then alphas or ! or / (tags)
- Filter "script:"
- Filter on handlers (onXXX=)
- Filter “expression(“
- Ignore elements named "__VIEWSTATE"
ASP.NET 2.0 Request Validation Summary
- Filter "&#"
- Filter ‘<’ then alphas or ! or / or ? (tags)
- Ignore elements with names prefixed with double underscore (__)
ValidateRequest Setting
To toggle request validation (it is set to true by default):
On a single page:
<%@ Page validateRequest="true|false" %>
For the entire application:
<configuration>
<system.web>
<pages validateRequest="true|false" />
</system.web>
</configuration>
References
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)
ASP.NET ValidateRequest and the HTML Attribute Based Cross Site Scripting
