WebApp Sec mailing list archives

ISS6 - ASP.NET

From: <webappsec () technicalinfo net>
Date: Tue, 09 Sep 2003 11:23:14 +0100

Anyone been playing with ASP.NET and the error message it automagically creates?

Given the following helpful error message, what experience have other people had SUCCESSFULLY exploiting this type of 
vuln on IIS6, given the comprehensive automated response?


A potentially dangerous Request.QueryString value was detected from the client (criteria="'><H1>Toss</H1>"). 
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request 
has been aborted. This value may indicate an attempt to compromise the security of your application, such as a 
cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive 
or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs 
in this case. 

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was 
detected from the client (criteria="'><H1>Toss</H1>").

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin 
and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.QueryString value was detected from the 
client (criteria="'><H1>Toss</H1>").]
   System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) +230
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) +99
   System.Web.HttpRequest.get_QueryString() +113
   System.Web.UI.Page.GetCollectionBasedOnMethod() +83
   System.Web.UI.Page.DeterminePostBackMode() +47
   System.Web.UI.Page.ProcessRequestMain() +2075
   System.Web.UI.Page.ProcessRequest() +218
   System.Web.UI.Page.ProcessRequest(HttpContext context) +18
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:1.1.4322.573; ASP.NET Version:1.1.4322.573 



Cheers.

http://www.technicalinfo.net/

Current thread:

ISS6 - ASP.NET webappsec (Sep 09)
- Re: ISS6 - ASP.NET H D Moore (Sep 09)
- RE: ISS6 - ASP.NET TUER, DON (Sep 09)
- <Possible follow-ups>
- RE: ISS6 - ASP.NET Jackson, Chris (Sep 09)
  - Re: ISS6 - ASP.NET Ernie Nelson (Sep 09)
- RE: ISS6 - ASP.NET webappsec (Sep 09)