I've noticed that setting ValidateRequest="true" on the page blocks input of the form • but not • - which are the same characters. Does anyone know why the first type is not allowed but the second type is?I really could not find a place where it defines what is meant by dangerous script and what is actually blocked when the ValidateRequest is set to true.
View 3 RepliesHere's the situation. I have an aspx page that is designed to receive a POST request with some XML values, parse the XML, grab the relevant items, and write them to the page. The problem arises when I try to launch the page using the POST request. When I launch using Fiddler, building the request manually and just pasting the XML in the body of the request everything works fine and dandy. When I launch the page from a basic HTML form, however, things don't go so great. The HTML form that I'm using looks like this:
[Code]....
When the page loads I get the error:
A potentially dangerous Request.Form value was detected from the client Everything I've read so far has told me that the solution is to add ValidateRequest="false" to the page directive in the top of the .aspx file, or in the pages element of the web.config file. But neither of these work. Afterwards, I still get the same error. Any idea what I need to do to make this work?
I just implented a login and deployed a system that works great on the local machine. After working on the deployed version for a few minutes, we get dumped back to the login screen for no apparant reason. Happens after just a few minutes, and from random places in the application. The login stuff is pretty much out of the box. This is from config
[Code]....
We are not doing anything at all in the codebehind regarding timeouts, etc.
we recently upgrated our project from 1.1 to 2.0. since then we are seeing "Forms authentication failed for the request. Reason: The ticket supplied has expired" in Event Viewer. this keeps coming 1-2 times for every minute. this is the full message. this also made the response time increased it seems.
Event code: 4005
Event message: Forms authentication failed for the request. Reason: The ticket supplied has expired.
Event time: 1/25/2010 5:00:30 PM
Event time (UTC): 1/25/2010 10:00:30 PM
Event ID:
Event sequence: 20601
Event occurrence: 2692
Event detail code: 50202.....
why the ValidateRequest dose not work when html tags had sent by __doPostBack method in javascript.
<script>
[Code]....
</script>
I have a third party company that we need to allow they users to pass into our website without loging in. TO keep it easy I was thinking of having them post to a custom login page on my site.
So their code would be something like this:
[Code]....
My landing/login page would do soemthign liek this.
[Code]....
My question is whether there are any security issues when using this kind of method? I am not sure yet what their site is written in. I figured that they could figure out how to do the post as long as I have the landing page for them and there is no security issues.
I have a web.config file with <authorization> section. I'm using window authentication.
The problem is that I would like to allow access to the web site to those users who are in multiple roles.
For example:
<authorization>
<allow roles = "Role1 AND Role2"/>
<deny users="*"/>
</authorization>
(Meaning I would like to allow access only to those user who are both in Role1 AND Role2.)
Is this possible to achive this?
If not, what would be the alternatives?
Note: Currently I'm doing the roles assignment in the Global.asax file in the OnAuthenticateRequest event (i'm reading the groups that the current user belong to in the Active Directory).
I have a site almost finished that uses ASP.Net membership, forms authentication and roles. There are one or two requirements remaining and I'm not even sure how to properly approach one of them.
The site I've created is going to provide service ONLY through SSL, if that matters. Yes, I'll redirect a request that lands on port 80 but the intent is to encrypt everything.
Is there a "best practice" for creating a session with my site, from another site? In other words the company is building a marketing page that has spaces for a login and password. I can find lots of posts about passing a username and password to another
site to start a session, but very few if any about receiving the username and password.
If anyone can point me to an article or posting with a code sample where the login control of a forms-authenticated site is used as the target of a form hosted as part of a different web page/application on a different host, it'd be awesome.
To be clear, the scenario is essentially "brochureware website on a 3rd-party host" providing the visitor the ability to log in to a secure site on a more "internal" server.
I have a CMS page that allows the user to paste in or type HTML code into a TextBox in a FormView, then do an INSERT or UPDATE operation to an nvarchar(MAX) column in an SQL table. This is using an ObjectDataSource that refers to an insert or update method in a TableAdapter in my dataset.
When testing, the server initially warned me when I tried to input or update text containing HTML code; so I set the validateRequest="false" in my page header.
I gather this can be a serious security risk. What's the proper way to "validate" the string being input? Am I opening the database to SQL injection?
Only the site administrator has access to the CMS, but malicious could theoretically bust their way in...
I have an ASP.net application hosted on Win2003 server. When I set the Authenticated Access to just Integrated Windows Authentication, IE7 & IE8 started failing in loging into the site with an error 401.1 ("You are not authorized to view this page"). But Firefox has no issues in loging into the site. why IE is failing to login with Integrated Windows Authentication where FireFox works perfectly?
View 1 RepliesSince I'm new to coding and I'm trying to understand why here is a little more detail on the question.If you have a text box and you are limiting the input to say 2 charactrs do you really need to validate the input further? What I have is a text box that has a max length of 2. Is there a security reason to add a validator to the textbox. I should add this is in Asp.net.
View 8 RepliesI understand I can use validateRequest="false" to by pass ASP.NET security. I'd like to know what security issues setting this flag may cause. Can I be 100% sure there won't be any issue as long as I encode the input using a XSS library?
View 3 Replies Do i have to validate cokkies, userinput, qurystring,database out for xxs , when my page is set to
ValidateRequest="true" ??
I am trying to secure very mixed content that is located in an ASP.NET directory. For purposes of this question, it can be ~/MyApp/.
I want all of the content in the directory and its subdirectories restricted to authenticated users. The default.aspx page, though, should be accessible to everyone. This is the web.config in that directory:
[Code]....
Now if you are an unauthenticated user, everything works fine if you request [code]....
The problem occurs in that visitors do not always request "Default.aspx". We have a default document configured so that they get Default.aspx even if they just request "/MyApp". An authenticated user works fine, but an unauthenticated user is directed to the login page.
Now I know that essentially this happens because even though the request for "/MyApp/" will actually end up serving up "/MyApp/Default.aspx", the security system is only checking for "/MyApp/" since that is what I requested. That is then getting the default security for the directory.
How can you configure an exception to allow access when no particular file is requested in the directory??
Is there some dependency between DefaultDocumentModule and UrlAuthorizationModule? In this environment, the UrlAuthorizationModule has been removed and re-added in order to make sure it fires for non-managed requests. I would not expect that to change the order of execution, though, since UrlAuthorizationModule usually goes after DefaultDocument.
A workaround could be to set up the opposite security with the directory being open, and then trying to secure individual files. Because of the (changing) number of files, and extensions, etc, and the fact that you cannot use wildcards in a <location>, this is not really a workable solution for me.
I know that in a web site project VWD will cram all the files into 1 specified folder which holds all the peices of your site together in a nice little container.
However, in a web based application (rather than web site) you have a similar folder but it contains a solution file; people often say this has more advantages, but from my early days of learning what would those advantages be?
I've noticed that ASP.NET automatically creates an App_Data folder for you whenever you make a new webforms application.
Since all of my data comes from a SQL Server 2005 database server, is there any reason to actually keep this folder?
tell me the use of Validaterequest False?
View 4 RepliesI'm using FreeTextBox HTML editor in some webforms in my asp.net project . if I do not set ValidateRequest property to false I get this error :
A potentially dangerous Request.Form value was detected from the client
It's OK in admin folder though , Because only authorized users have access to work with it . But how about public pages like sections where every users have access to leave comments(using FreeTextBox for collecting users comment ) ? Isn't risky for XSS Attack ? If the answer is not Yes , So what's ValidateRequest property for?
My ASP.NET page contains "ValidateRequest = true". However, there is one textbox in the page for which I don't want ASP.NET to validate. Is there a way to make it false for that one control? If there isn't, is there a way to ignore the "Potential Threat" error, assuming it comes from that particular control?
View 1 RepliesWhy the website developers use PNG format images in their webpages?
View 2 RepliesIs there any reason to separate front-end FE and back-end BE (for Administration and customer service) in different websites under the same solution.
Actually it causes me problems in Removing items from the cache, (they) decided to put FE and BE in different app domains, this means different Cache objects!!
I asked them about the reason and they said
1- To not be out of memory and to remove BE effect on the FE performance.
I doubt on this, Customer service team are probably affecting the centralized database performance, but there hits will be like adding 10 customers to our website, it is nothing!! Also App domain memory extends when needed, as far as I know, it does not pre allocate resources
2- To avoid losing both FE and BE if the website goes down.
I agree but this is not a reason to put the whole BLL in a web service, what about SECURING the BLL!!!, I PREFER TO LOSE BOTH if the IIS goes down.
I have an accordion and a nested accordion as a menu ba on left. thepanes contain various controls mainly dropdownlists. I disable the accordion after a user has enetered some values and clicked the search button. However in IE7 the accordion is disabld and all the contained controls are too. But in IE6 the dropdownlists aren't disabled whats the reason behind this and whats the solution?
View 6 RepliesI've spent at least 2 days trying anything and googling this...but for some reason I can't get RegisterClientScriptInclude to work the way everyone else has it working?
First off, I am usting .NET 3.5 Ajax,...and I am including javascript in my partial page refreshes...using this code:
ScriptManager.RegisterClientScriptBlock(this, typeof(Page), "MyClientCode", script, true);
It works perfectly, my javascript code contained in the script variable is included every partial refresh.
The javascript in script is actually quite extensive though, and I would like to store it in a .js file,..so logically I make a .js file and try to include it using RegisterClientScriptInclude ...however i can't for the life of my get this to work. here's the exact code:
ScriptManager.RegisterClientScriptInclude(this, typeof(Page), "mytestscript", "/js/testscript.js");
the testscript.js file is only included in FULL page refreshes...ie. when I load the page, or do a full postback....i can't get the file to be included in partial refreshes...have no idea why..when viewing the ajax POST in firebug I don't see a difference whether I include the file or not....
both of the ScriptManager Includes are being ran from the exact same place in "Page_Load"...so they should execute every partial refresh (but only the ScriptBlock does).
In the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation."
View 2 RepliesWhat is the difference between enableEventValidation and validateRequest? Although the former is on postback/callback caused by a control (Server side only I assume?, the latter is on every request, which is caused by a control posting back anyway? Or would validateRequest kick in by a standard html link being clicked?
View 2 Replies