Potentially dangerous Request.QueryString value 1

[tcstom]

I'm getting the error "A potentially dangerous Request.QueryString value was detected from the client" relating to the following URL:

contact.aspx?id=t63ONOALoPYjbYmGBjmSDg%3d%3d&log=true

The id part is an encrypted string that has also been passed to the Server.UrlEncode method to make it safe as part of a URL so what can I do to prevent this? I really don't want to turn off ValidteRequest for this web form, but I do need to pass this encrypted string to it.

 

[ca8msm]

Can you provide an example of how you are setting this value, and explain when/how you are getting the error?


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[tcstom]

I'm using ASP.NET's own Triple DES encryption methods to encrypt a simple string such as "C045938". In this case the encrypted form of the string is "t63ONOALoPYjbYmGBjmSDg==". If this is assigned to variable strEnc I then use...

strEnc = Server.UrlEncode(strEnc)

...to encode the encrypted value (which in this case just replaces '=' with '%3d'). I then have a link on screen with a URL containing this encoded and encrypted string (see previous post). When a user clicks this link the requested page gives the error. The same process has been used many many times and this is the first time the error has arisen. I'm almost certain the problem is that this time the encrypted string happens to contain 'on' and '=' so is being interpretted as onEvent=doSomething() Javascript.

If it helps, my encryption method is as follows:

private static string EncryptedValue(string toEncrypt, string key)
{
	byte[] keyArray;
	byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt);

	// Use hashing
	MD5CryptoServiceProvider hashmd5 = new MD5CryptoServiceProvider();
	keyArray = hashmd5.ComputeHash(UTF8Encoding.UTF8.GetBytes(key));
	hashmd5.Clear();

	// Initialise the Triple DES service provider
	TripleDESCryptoServiceProvider tdes = new TripleDESCryptoServiceProvider();
	tdes.Key = keyArray;
	tdes.Mode = CipherMode.ECB;
	tdes.Padding = PaddingMode.PKCS7;

	// Perform the encryption
	ICryptoTransform cTransform = tdes.CreateEncryptor();
	byte[] resultArray = cTransform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length);
	tdes.Clear();

	return Convert.ToBase64String(resultArray, 0, resultArray.Length);
}

 

[ca8msm]

OK, I'm struggling to reproduce this error. From your description it sounds as if your contact.aspx page is the page that is throwing the error when it is called with that querystring. However, if I reproduce this page:

<%@ Page Language="VB" AutoEventWireup="false" CodeFile="contact.aspx.vb" Inherits="contact" [b]ValidateRequest="true"[/b] %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "[URL unfurl="true"]http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">[/URL]

<html xmlns="[URL unfurl="true"]http://www.w3.org/1999/xhtml"[/URL] >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    
    </div>
    </form>
</body>
</html>

and then enter this URL into my browser:

contact.aspx?id=t63ONOALoPYjbYmGBjmSDg%3d%3d&log=true

Then the empty page displays correctly. So, either:

1) I have recreated your test incorrectly.
2) The problem isn't to do with the contact page and it's the previous page that is causing the error.
3) There are some additional settings that you have on your page(s) that we aren't aware of.

Usually, when you get the error you mention, you either have to set ValidateRequest to False and create your own routine to handle input, or you have to use Server.HTMLEncode or Server.UrlEncode to encrypt your string (and then use the opposite Decode method on the receiving page).


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[tcstom]

Thanks for looking into this. I've also just tried to re-create the problem locally and get the same result as you - it works! But the problem definitely persists on the live server. The only difference I can think of is that the live project is running on a secure server under HTTPS. Do you know if ASP.NET page validation behaves differently under HTTPS? It may also be that our techies have applied additional ASP.NET security that I wasn't aware of, but I think this is unlikely.

 

[ca8msm]

The only difference I can think of is that the live project is running on a secure server under HTTPS

That could be the cause so it may be worth trying to replicate this in your test environment. I've not really used SSL, but I think you can get test certificates so that you can create a https site locally.


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.