A potentially dangerous Request.Path value was detected from the client (?)
Environment:
IIS 8.5
.NET Framework Version: 4.6.2 (using WebForms)
Windows Server 2012 R2
Problem:
The following exception is being reported:
BASE EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
BASE EXCEPTION HRESUT: -2147467259
EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Other information shown in our logs:
PATH_INFO
/cities/index.aspx?locid=4163
----
QUERY_STRING
----
REMOTE_ADDR
66.249.65.204
----
REMOTE_HOST
66.249.65.204
----
REQUEST_METHOD
GET
----
SCRIPT_NAME
/cities/index.aspx?locid=4163
----
URL
/cities/index.aspx?locid=4163
----
HTTP_FROM
googlebot(at)googlebot.com
----
HTTP_USER_AGENT
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
What I do not understand is if I cut and paste the path in my browser, the page is rendered just fine and without error.
Questions:
- Why does googlebot, when crawling the page produce this error, yet no error is generated when I enter the path in a browser? (I do find it odd that the error log shows no value for the query string, even though it is present).
- Why is the "?" character considered potentially dangerous?
Any advice would be appreciated as I am trying to understand how this particular "error" is being raised when the path is in fact valid.
Thanks in advance.
3 Answers
From Asp.net 4.0+ introduced a strict validation, so what ever error you are seeing might be the part of it . there are certain dangerouss characters in the url which might cause XSS attack . so ? is one among them. remaining characters are as follows:
< > * % & : \ ?
Probably there might be two solutions
you can allow these characters in your URL , or atleast certain character ,by configuring the following configuration in
web configas follows<system.web> <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" /> </system.web>You can roll back to asp.net 2.0 , with the following configuration
<system.web> <httpRuntime requestValidationMode="2.0" /> </system.web>
WebrusterIt dawned on me why the querystring was not showing anything in our logs. Requests that encode the "?" (%3f) will cause the exception described above to be raised, for example:
/cities/index.aspx%3flocid=4163
The encoded %3f is interpreted as part of the path, hence the exception of "A potentially dangerous Request.Path value was detected from the client (?)".
When I entered the URL shown above in a browser -- the exception is raised and the log does not contain a querystring. So I can only assume everything is functioning as it should and that the requester is encoding the ? when they should not be; basically wrecking the querystring portion of the URL.
We also have requestValidationMode="2.0" in system.web, but DO NOT make use of the requestPathInvalidCharacters (httpRuntime) setting.
bdcoderThe same happens if you (or a pentester) access URL's ala https://domain.tld/<foobar and https://domain.tld/</.
Even with custom error pages enabled, this will return an error page rendered by IIS, and if you are logging errors in Application_Error you might find your logs full of noise from scanners/bots/etc.
I found that a rather simple workaround for this is to handle HttpException exceptions in Application_Error in Global.asax.cs. This way you don't need to tweak with requestValidationMode.
Create the following pages in the root of your application:
- 400.html - for IIS
- 400.aspx - for ASP.NET
- 404.html - for IIS
- 404.aspx - for ASP.NET
- 500.html - for IIS
- 500.aspx - for ASP.NET
The .html files have content ala this:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8" /> <title>400 Bad request</title> </head> <body> <h1>400 Bad request</h1> </body> </html>The .aspx files have content ala this:
<%@ Page Language="C#" %> <% Response.StatusCode = 400; Server.Transfer("~/400.html"); %>Ensure that you set the appropriate response status code within the .aspx files.
Configure ASP.NET's custom errors as below:
<customErrors mode="RemoteOnly" redirectMode="ResponseRewrite" defaultRedirect="~/500.aspx"> <error statusCode="400" redirect="~/400.aspx"/> <error statusCode="404" redirect="~/404.aspx"/> <error statusCode="500" redirect="~/500.aspx"/> </customErrors>Configure IIS's custom errors as below:
<httpErrors errorMode="DetailedLocalOnly"> <remove statusCode="400"/> <error statusCode="400" path="400.html" responseMode="File"/> <remove statusCode="404"/> <error statusCode="404" path="404.html" responseMode="File"/> <remove statusCode="500"/> <error statusCode="500" path="500.html" responseMode="File"/> </httpErrors>Adjust Global.asax.cs accordingly:
protected void Application_Error(object sender, EventArgs e) { var lastError = Server.GetLastError(); Server.ClearError(); if (lastError.GetType() == typeof(HttpException)) { Response.StatusCode = 400; Server.Transfer("400.html"); } else { Response.StatusCode = 500; Server.Transfer("500.html"); // logging } }
See http://benfoster.io/blog/aspnet-mvc-custom-error-pages for the full story on how to setup custom error pages and https://msdn.microsoft.com/en-us/library/bb397417.aspx for more on error handlers.
tlkUser contributions licensed under CC BY-SA 3.0