views:

61

answers:

3

Hi.

I'm using the standard asp:Login control, and we have a user who recently changed her password to include an angular bracket. When she tries to login, she gets an error message, and I get the standard 'dangerous request' exception.

I know I can set ValidateRequest="false" on the page to negate this, but I was hoping someone knew of a better way.

Thanks!

Solution

We made her change her password to remove the bracket. Pragmatic wins out again. Thanks for the replies.

+1  A: 

Unfortunately I don't think that there is a better way. Perhaps preventing users from being able to enter any of the characters/character patterns that are considered malicious as their password might be the pragmatic option.

Turning the request validation off may potentially open up bigger holes than the minor inconvenience of one user not being able to use < or > in their password.

You may want to look at something like the Web Protection Library and the Security runtime engine for additional web application security.

Russ Cam
Pragmatic it is.
Joe Behymer
+1  A: 

You could use client-side JavaScript to html-encode the password.

Ben Voigt
This was my first thought, which I did look into. I dug through the source looking for a good place to override the standard functionality and decode the password, but couldn't find an acceptable spot. If you've actually done this, I'd love to hear what you changed. Otherwise, I put my solution in my question.
Joe Behymer
A: 

If you're serving up the login control on a separate login page, then disabling request validation is probably the simplest and best answer. You can focus on "hardening" that page to ensure that it's secure as you can make it.

The other option is to disallow angle brackets in passwords. I'm guessing that they're not that common in passwords (I've never used them and I have a multitude of passwords), but that decision is one you have to make based on what you do/don't allow your users to do.

Rob
Yeah, it's a separate login page, but just making her change her password was the easiest solution, thanks.
Joe Behymer