从客户端检测到有潜在危险的Request.QueryString值 [英] A potentially dangerous Request.QueryString value was detected from the client

问题描述

我使用的WebForm

I'm using WebForm

我在做安全测试，以我的网站，但是当我试图通过URL查询字符串，如：

I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:

' - > netsparker（0x00286A）   mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

我在'/'应用了服务器错误。

I got Server Error in '/' Application.

一个潜在危险的Request.QueryString值从检测   客户从客户端检测到有潜在危险的Request的值（>）。

A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).

我在web.config

I have in the web.config

<httpRuntime  enableVersionHeader="false"/>
<customErrors mode="On"  defaultRedirect="~/Error/GeneralError.aspx">
  <error statusCode="404" redirect="~/Error/PageNotFound.aspx" />
  <error statusCode="403" redirect="~/Error/GeneralError.aspx" />    
  <error statusCode="500" redirect="~/Error/GeneralError.aspx" />      
</customErrors>

    ..................

<pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">

任何想法，我该怎么纠正？

Any idea how can I correct that?

推荐答案

您错误是由于违反了建在ASP平台的安全规则。这些规则prevent注入和跨站脚本攻击。如果您正在使用MVC有一个方便的AntiForgeryToken，可以照顾这个给你。

Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.

请看看来自斯科特Hanselman的

Please look into the post from Scot Hanselman

<一个href="http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx" rel="nofollow">http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx

这篇关于从客户端检测到有潜在危险的Request.QueryString值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！