tags:

views:

168

answers:

2
+1  Q: 

Handling HttpRequestValidationException in ASP.NET

I have a problem where some users come to my site with cookies that contain < or & characters (partly outside my control). These are flagged Dangerous by ASP.NET. What I would like to do is to be able to catch the exception, check for certain well-known cases that I want to allow and then throw the exception again. I don't want to end up in the global Application_Error, because I want the request to carry on as if nothing happened in the selected "known cases".

I thought that I could do this by reading my Request.Cookies in the Application_BeginRequest and then catch the exeption. Turns out however that this is too early. The cookies can be read without any problem at this time. Inspection (reflector) learns that the validation exceptions are only thrown after the HttpRequest.ValidateInput() method is called. This sets the validation "sharp", but it's not clear to me when this happens. So when/where to trigger the validation to prevent it from bubbling up later? Or maybe some totally different approach?

A: 

You could disable this kind of validation by disabling request validation on the web.config

<configuration>  
    <system.web>  
       <pages validateRequest="false" />  
    </system.web>
</configuration>
Pedro  2009-12-18 15:25:31
Yes, obviously, I could. But that would be throwing out the child with the bath water, wouldn't it?
Teun D  2009-12-18 15:29:00
Are you afraid of being attacked by hackers? If don't, then just disable it.
Pedro  2009-12-18 15:35:59
Yes, I am afraid of being attacked by hackers.
Teun D  2009-12-18 15:42:45
Googling I could find two aproches: Catching on application_error (wich I agree with you - smells bad). Or, disabling asp.net validation and validate each user input for potential threats.
Pedro  2009-12-18 16:04:03
Last but not least, here is a link of a comercial product that claims to resolve this issue in a control-by-control basis: http://www.peterblum.com/DES/InputSecurity.aspx
Pedro  2009-12-18 19:29:03
A: 

I turns out to be quite difficult to handle this exception. I have not found a real answer to my question, but I found a work-around that may work for other too, so I'll document it here. The suspect values in my cookies are actually written there by Google Analytics,so I cannot prevent the values with < in it to be written. However, I do not really need these cookies on the server anyway. Google Analytics reads their content on the client. So what I did was checking the contents of the cookiesmyself and clearing any suspect content for the duration of the Request by setting the value to "". The cookies remains as is, but the content in the Request.Cookies collection is gone.

Good enough for me.

private static Regex _hasHtmlTag = new Regex("<\\w"); // matches an < with a letter or number after it
protected void Application_BeginRequest(object sender, EventArgs e)
{
    foreach (string name in Request.Cookies)
    {
        string cookieValue = Request.Cookies[name].Value;
        if (_hasHtmlTag.IsMatch(cookieValue))
        {
            // Leave the cookie alone, but remove from the request
            Request.Cookies[name].Value = "";
        }
    }
}
Teun D  2009-12-21 12:49:40

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps