This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

ASP.NET Request Validation

From OWASP
Revision as of 13:18, 29 April 2008 by Mroxberr (talk | contribs) (New page: ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework. ==ASP...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

ASP.NET Provides built-in request validation on form submission or postback handling. Request validation is on by default, and is handled differently by versions of the framework.

ASP.NET 1.1 Request Validation Summary

  *Filter  "&#"
  *Filter  ‘<’ then alphas or ! or / (tags)
  *Filter  "script:"
  *Filter  on handlers (onXXX=)
  *Filter “expression(“
  *Ignore elements named "__VIEWSTATE"

ASP.NET 2.0 Request Validation Summary

  *Filter  &#
  *Filter  ‘<’ then alphas or ! or / (tags)
  *Ignore elements with names prefixed with double underscore (__)

To disable request validation:

On a single page: 

 <%@ Page validateRequest="false" %>

For the entire application: 

 <configuration>
    <system.web>
         <pages validateRequest="false" />
    </system.web>
 </configuration>

References

Validation - Preventing Script Attacks
ASP.NET 2.0 dumb’s down request validation (by Michael Eddington)

Retrieved from "https://wiki.owasp.org/index.php?title=ASP.NET_Request_Validation&oldid=28599"