WebApp Sec mailing list archives
ISS6 - ASP.NET
From: <webappsec () technicalinfo net>
Date: Tue, 09 Sep 2003 11:23:14 +0100
Anyone been playing with ASP.NET and the error message it automagically creates? Given the following helpful error message, what experience have other people had SUCCESSFULLY exploiting this type of vuln on IIS6, given the comprehensive automated response? A potentially dangerous Request.QueryString value was detected from the client (criteria="'><H1>Toss</H1>"). Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (criteria="'><H1>Toss</H1>"). Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the client (criteria="'><H1>Toss</H1>").] System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99 System.Web.HttpRequest.get_QueryString() +113 System.Web.UI.Page.GetCollectionBasedOnMethod() +83 System.Web.UI.Page.DeterminePostBackMode() +47 System.Web.UI.Page.ProcessRequestMain() +2075 System.Web.UI.Page.ProcessRequest() +218 System.Web.UI.Page.ProcessRequest(HttpContext context) +18 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87 -------------------------------------------------------------------------------- Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573 Cheers. http://www.technicalinfo.net/
Current thread:
- ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
- Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)