ASP.NET请求验证原因：有一个列表？ [英] ASP.NET request validation causes: is there a list?

问题描述

是任何人知道到底是什么触发ASP.NET的Htt的prequestValidationException清单？ [这是背后的常见错误：检测到有潜在危险的Request.Form值等]

我在这里检查，围绕Web和MSDN库，但无法找到该文件。我所知道的一些方法来生成错误，但希望有一个完整的列表，以便我可以防范和选择性规避它（我知道如何禁用请求验证的页面，但是这是不是在这一个选项情况）。

它是安全通过模糊？

的情况下，

感谢。

[注：添加评论对我来说在IE8的脚本将不会加载（如在Meta论坛上经常描述的），所以我将无法]

编辑1：奥德你知道一个列表，记录用于确定一个潜在的恶意输入字符串的条件？这就是我要找的。

编辑2：@克里斯卵石：是啊，你说的话。 ：）

解决方案

我无法找到一个文件，概述了一个确凿的名单，但希望通过反射和做对使用的Htt prequestValidationException一些分析，它看起来像验证在以下的错误可能导致请求验证失败：

• 在任一文件中的文件名贴到上载。
• 在传入的请求的原始URL。
• 的名称/值对任何传入的cookie的值部分。
• 的名称/值对来自任何通过GET / POST进来的字段的值的部分。

现在的问题，那么，是有什么资格对这些东西是危险的输入呢？这似乎是在一个内部方法System.Web.CrossSiteScriptingValidation.IsDangerousString（字符串，OUT INT），它看起来像它的出现决定是这样的：

1. 查找＆LT; 或＆安培; 中的值。如果它不存在，或者如果它是在价值的最后一个字符，则该值为确定。
2. 如果在＆安培; 字符是在＆放大器;＃序列（如 ＆放大器;＃160; 的不间断空格），这是一个危险的字符串。
3. 如果在＆LT; 字符的一部分＆LT; X （其中x是任何字母AZ ），＆LT;！，＆LT; / 或＆LT; ，这是一个危险的字符串。
4. 做不到这一切，值确定。

在System.Web.CrossSiteScriptingValidation类型似乎都在它的其他方法来确定，如果事情是危险的URL或有效的JavaScript标识，但这些不会出现，至少在反射分析，导致抛出的Htt prequestValidationExceptions。

is anybody aware of a list of exactly what triggers ASP.NET's HttpRequestValidationException? [This is behind the common error: "A potentially dangerous Request.Form value was detected," etc.]

I've checked here, around the Web, and MSDN Library but can't find this documented. I'm aware of some ways to generate the error, but would like to have a complete list so I can guard against and selectively circumvent it (I know how to disable request validation for a page, but this isn't an option in this case).

Is it a case of "security through obscurity"?

Thanks.

[Note: Scripts won't load for me in IE8 (as described frequently in the Meta forum) so I won't be able to "Add comment."]

EDIT 1: Hi Oded, are you aware of a list that documents the conditions used to determine a "potentially malicious input string"? That's what I'm looking for.

EDIT 2: @Chris Pebble: Yeah, what you said. :)

解决方案

I couldn't find a document outlining a conclusive list, but looking through Reflector and doing some analysis on use of HttpRequestValidationException, it looks like validation errors on the following can cause the request validation to fail:

• A filename in one of the files POSTed to an upload.
• The incoming request raw URL.
• The value portion of the name/value pair from any of the incoming cookies.
• The value portion of the name/value pair from any of the fields coming in through GET/POST.

The question, then, is "what qualifies one of these things as a dangerous input?" That seems to happen during an internal method System.Web.CrossSiteScriptingValidation.IsDangerousString(string, out int) which looks like it decides this way:

1. Look for < or & in the value. If it's not there, or if it's the last character in the value, then the value is OK.
2. If the & character is in a &# sequence (e.g.,   for a non-breaking space), it's a "dangerous string."
3. If the < character is part of <x (where "x" is any alphabetic character a-z), <!, </, or <?, it's a "dangerous string."
4. Failing all of that, the value is OK.

The System.Web.CrossSiteScriptingValidation type seems to have other methods in it for determining if things are dangerous URLs or valid JavaScript IDs, but those don't appear, at least through Reflector analysis, to result in throwing HttpRequestValidationExceptions.

这篇关于ASP.NET请求验证原因：有一个列表？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！