Server started to receive requests with invalid cookie _a_d3t6sf

Starting from 04.06.2018 our production site started to receive requests that contains the cookie with invalid value:

_a_d3t6sf="duUt#<WFf>>nD=9O&lG9y)DN"

values are different, but name is the same for all requests.

Exception looks like this:

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Cookies value was detected from the client (_a_d3t6sf="xdZ<et[)27rL^5lBe6rL_<[...").
   at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
   at System.Web.HttpRequest.ValidateCookieCollection(HttpCookieCollection cc)
   at System.Web.HttpRequest.get_Cookies()
   at System.Web.HttpRequest.FillInParamsCollection()
   at System.Web.HttpRequest.GetParams()
   at System.Web.HttpRequest.get_Params()
   at ASP._sites__shared_svc_getstrings_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in ___\getStrings.aspx:line 6
   at System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children)
   at System.Web.UI.Control.RenderChildren(HtmlTextWriter writer)
   at System.Web.UI.Page.Render(HtmlTextWriter writer)
   at System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter)
   at System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter)
   at System.Web.UI.Control.RenderControl(HtmlTextWriter writer)
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP._sites__shared_svc_getstrings_aspx.ProcessRequest(HttpContext context) in ___\root\3403aaf9\baa39378\App_Web_zbqbtb3n.2.cs:line 0
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

There is no such cookie in our code and there is no form posts or anything we can validate before that requests. We have validation mode 2.0 in our config

<httpRuntime targetFramework="4.5" requestValidationMode="2.0" />

so only .aspx pages throws that exception. One of them is callback page for a spanish online payment system. And it gets that cookie too from a real paysystem server - there was a payment done, request was sent to us, but was invalid because of that cookie.


There is a three .aspx pages that serves as minimization sources for styles, scripts and javascript localized strings. So one full page load throws three exceptions every time this happens, but only few clients has this cookie. On our computers we was unable to reproduce it.


So:
1. We has no things that adds or reads that cookie.
2. Not every client has it.
3. Secured request from online payment service sends payment data almots every day but also has that cookie once.
4. All windows updates including .net security was installed today - nothing has changed.
5. We can not turn validation off.
6. Last code changes was done month ago and all this started about two weeks ago.


Looking for any ideas and suggestions. Thank you.

Maybe you are using the zp.js or pluso-like.js plugins.

They do some suspisious activity and load 'processor.js' script that adds _a_d3t6sf cookie. If the client is lucky he will get safe cookie value like

duu2BAdLFlYTaTgr_h4WB6

but if he isn't he will get unsafe cookie value like

duu2BAdLFlYTaT#^0[AZ?WB6

There is some article about pluso.ru