Hi there,

I've been working with an application for over two years and have never noticed any security issues with .net or the application in general. That said just recently i've been getting elmah error reports sent to me with some very suspicious errors. I have included the text below. Is this some form of ASP.NET injection attack thats been caught by the framework?

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (siteusername="...map.html, <a href= http://v0vp...").

The referring page is always a page on our main site (php), and the page hit in this application is always the login.aspx. Im starting to think this may be classic php injection, as a PHP page posts to the .net page to enable login to the application. This probably is'nt the safest way of doing this!!

From what I can see no harm is being done as the above error is being triggered?

Cheers,

Justin

 Hi

have you ever heared about xss- attack .

the goal of this attack is to steal the authentication cookie of a legitimate user.

when it will happen?: 

It will happen when an user inputs some client side scripting.

In our .Net Frame work by default some controls have the ability to identify such type of  input .this is the actual reason why you had exception as A "potentially dangerous Request.Form value was detected from the client" from server.

thanks 

Hi there

I wonder can I stop them somehow. I cant bar their IP as it changes, and in theory I need to stop them posting to a public login form. Perhaps I could only allow a certain range of trusted IP's to access my login.aspx page, and redirect anyone else?

Cheers

jusmeig:

and in theory I need to stop them posting to a public login form.

Hi

What about giving him a warning when you receive this kind of unsafe scripting?

    Sub Application_Error(ByVal sender As Object, ByVal e As EventArgs)
        Dim objErr As Exception = Server.GetLastError().GetBaseException()
        If objErr.Message.Contains("A potentially dangerous Request.Form value was detected from the client") Then
            Dim userip As String = Request.ServerVariables("HTTP_X_FORWARDED_FOR")
            If userip = "" Then userip = Request.ServerVariables("REMOTE_ADDR")
            Response.Write("Hei,I know you." + userip)
        End If
        Server.ClearError()
        ' Code that runs when an unhandled error occurs
    End Sub

BTW, it is good method to HTML-encode information that will be stored in HTML.

For example, It replaces '<' or ‘>' with their corresponding HTML encoded representation ‘&lt' and ‘&gt'