一个潜在危险的Request.QueryString —如何在不关闭安全功能的情况下进行预防

Question

I am getting this message when I perform a post with some data encoded in the query string. I have browsed the web on this and all the solutions are about turning off the validation -- which seems backward to me. What I want to do is modify the query string so that it doesn't trigger the validation in the first place.

The query string is urlEncoded with this javascript:

var qs = 'i=' + id+ '&c=' + encodeURIComponent(c) + '&' + 'p=' + encodeURIComponent(p);

'Id' is just an integer, so the c and p parameters are the only ones likely to cause this, and they are both URIencoded.

What causes this error, and what, beyond uri encoding can I do to prevent the complaint? I don't like turning off safety features. It is smart to wear a safety belt when you are driving.

Answer 1

This is a safety belt only for people that haven't passed their driving test. If output is correctly encoded, the "potentially dangerous" query string value is no longer dangerous.

For example, if the character " is output to HTML this should be encoded as " , or if the character ' is output to JavaScript then it should be encoded as \\x27 .

ASP.NET Request Validation only protects your code if you are not correctly encoding for output, and furthermore it only protects values that have been input via a website with Request Validation enabled. Anything input from any other sources (eg a shared database, another application or an external API) will not be validated by request validation. This is why I would code your application to handle correct output encoding instead. If stackoverflow.com blocked potentially dangerous input then it would not be possible for people to write code like this in their posts: <script>alert('example');</script> , but with proper output encoding, as you can see this is safe.

Check out my post on ASP.NET Security (A3-Cross-Site Scripting (XSS) section).

Also see the OWASP XSS Prevention Cheat Sheet .

Answer 2

The ASP.NET team doesn't want you rely on 'RequestValidation' so it is ok to turn it off (it's a crutch that gives a false sense of security because it isn't always up to speed).

For info on why this ok and what you should do instead, watch this video starting at 11:10. I would actually recommend watching the whole video.

Answer 3

You're right, most "fixes" for this tell you to turn off validation so it was kind of difficult to find something other than that. I think you're going to have to turn it off just for that request and then manually validate it. According to microsoft, you can disable it for a request like this:

Request.Unvalidated("userInput"); // Validation bypassed
Request.Unvalidated().Form["userInput"]; // Validation bypassed 

If you disable request validation, you must manually check the unvalidated user input for potentially dangerous input

See this article: http://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx

Good Luck!