views:

117

answers:

3

Hi,

today I receive multiple (50->*) e-mails regarding:

A potentially dangerous Request.Form value was detected from the client (ctl00$Content$InputStreet="OzgYPY  <a href="http://effe...").

and

A potentially dangerous Request.Form value was detected from the client (ctl00$Content$InputStreet="GVdtWm  <a href="http://mxif...").

and

...

on one of my websites. In Global I have some code which sends e-mail when exceptions occur.

The IP address the requests come from is not the same. Is my site under a virus attack?

Best regards Lasse Espeholt

A: 

It might be a script injection attack, something/some one is trying to update your form InputStreet input field with script. More info about script injection attacks

Further info: Script injection attacks and ASP.NET

Ngm
Okay thanks, but the requests is from different IP addresses?
lasseespeholt
+1  A: 

Hi lasseespeholt,

I think we'd need more detail to be sure but from the message in the email it looks as if someone is entering a value in your Street field that .NET is regarding as dangerous. This could be a number of things, I see from your profile you are form Denmark, are the Street names there likely to contain anything dangerous?

Examples are < and >.

It could just be a really eager user who wants to sign-up? Or a bunch of people from the same area?

What's the context of the site?

David A Gibson
It is request by multiple IP adresses in the same minute. The requests writes something like "saff <a href=''>". No they should not. Thanks for answering :)
lasseespeholt
Fair point :) it does sound strange but your code seems to be handling it - is there anyway you could capture all the information they've entered in your email? Maybe this would make it easier to see if it was malicious.
David A Gibson
I don't know actually :/ My "tagwall" does not handle it so I must implement a captcha.
lasseespeholt
+1  A: 

Hi there,

These kind of attacks are common, we're monitoring several hundred sites for clients and are building a database of these attacks currently.

The fact that ASP.NET protects against these is good. you're 'secure by default'.

Cheers,

Phil.

Plip
Okay thanks :) I do need to make a captcha on one of the pages, though.
lasseespeholt