URL Routing, Image Handler & "A potentially dangerous Request.Path value"

Asp.Net 4.0+ comes with a very strict built-in request validation, part of it is the potential dangerous characters in the url which may be used in XSS attacks. Here are default invalid characters in the url :

< > * % & : \ ?

You can change this behavior in your config file:

<system.web>
    <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" />
</system.web>

Or get back to .Net 2.0 validation:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
</system.web>

A very common invalid character is %, so if by any chance (attack, web-crawlers, or just some non-standard browser) the url is being escaped you get this:

www.amadeupurl.co.uk/ImageHandler.ashx/%3Fi%3D3604

instead of this:

www.amadeupurl.co.uk/ImageHandler.ashx/?i=3604

Note that %3F is the escape character for ?. The character is considered invalid by Asp.Net request validator and throws an exception:

A potentially dangerous Request.Path value was detected from the client (?).

Though in the error message you see the unescaped version of the character (%3F) which is ? again

Here's a good article on Request Validation and how to deal with it

URL Routing, Image Handler & "A potentially dangerous Request.Path value"

Tags:

.Net

Vb.Net

Asp.Net

Web Config

Httphandler

Related

Recent Posts