Issue:
Due to an upgrade from .Net 2, 3.0 or 3.5 to .Net 4.0 or you are starting a new .Net 4.0 project, you may run into this message:
- A potentially dangerous Request.Path value was detected from the client
Or
- A potentially dangerous Request.Form value was detected from the client
Environment:
- .Net 4.0
- MVC 3 (could be MVC 2 also because of the controller/action action filters that are available)
Fix:
Lets tackle the first issue:
A potentially dangerous Request.Path value was detected from the client
The fix is surprisingly simple but can cause havoc for security so be careful to consider your security requirements:
For MVC3 apps, or any MVC actually, when you run on .Net 4.0 you need to specify the following in your web.config file when running on .Net 4.0:
<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters=""/>
The magic happens with the requestPathInvalidCharacters property, setting it to “” means that it should bypass the default suspect characters and check for no special characters in the url. The defaults are:
[ConfigurationPropertyAttribute("requestPathInvalidCharacters", DefaultValue = "<,>,*,%,&,:,\,?")]
public string RequestPathInvalidCharacters { get; set; }
The following issue is not the same as the previous issue, but is somewhat related but not handled the same way:
A potentially dangerous Request.Form value was detected from the client
In ASP.Net MVC you need to set requestValidationMode=”2.0″ and validateRequest=”false” in web.config, and apply a ValidateInput attribute to your Controller action:
<httpRuntime requestValidationMode="2.0"/>
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
</system.web>
But that is not all, you also need to then explicitly set what controller action requires validation bypassed:
[Post, ValidateInput(false)]
public ActionResult Edit(string message) {
...
}
So are you done yet? Nope, not quite, you also need to instruct IIS to ignore the validation check on any incoming request.
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
This is definitely not recommended, especially for external facing web sites as you need to be very vigilant to check for script attacks, etc.
Alternatively you can specify validation to be turned off by page:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="MyDemoPage.aspx.cs" Inherits="Vert.CRM.UI.Views.Home.MyDemoPage" ValidateRequest="False" %>
You could sidestep the above page directive and simply specify page validation to be de-activated site-wide in the web.config file, or in nested web.config files for sub-folders:
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
OK, so there is another way to do it by injecting exception handling in the global.asax file on application error. Needless to say exceptions are very expensive, so unless setting page directives or disabling page validation site-wide in the web.config file does not appeal to you this is another option:
void Application_Error(object sender, EventArgs e)
{
Exception ex = Server.GetLastError();
if (ex is HttpRequestValidationException)
{
Response.Clear();
Response.StatusCode = 200;
Response.Write(@"[html]");
Response.End();
}
}
Why bother?
Not all attacks are malicious. Often users will copy-paste text from web pages and inadvertently paste HTML tags with it into text fields. For example a “<“, which is not inherently dangerous. When not encoding output you are vulnerable to for example cross-site-scripting attacks, etc. Or if you write a URL entered by the user for a link on the page, embedded “javascript:” may be dangerous. Why is this important? If you start filtering certain characters for example:
<system.web>
<httpRuntime requestPathInvalidCharacters="<,>" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
What if the user adds a math formula to a text area like “x < y = true”. You want to tell the user their request is dangerous?! Filtering indiscriminately can be too restrictive based on context. That is why providing action filters is great in the sense that you can specify validation at a low-level of granularity. Of course if that is till not enough try [AllowHtml] on your model binding.
Summary, for .Net 4.0 you must specify the following for any validation on controller/action and page directives to work:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>