URL Routing, Image Handler & “A potentially dangerous Request.Path value”

Question

I\'ve been experiencing this problem now for quite sometime and have decided to try and get to the bottom of it once and for all by posting the question here for some though

Answer 1

Asp.Net 4.0+ comes with a very strict built-in request validation, part of it is the potential dangerous characters in the url which may be used in XSS attacks. Here are default invalid characters in the url :

< > * % & : \ ?

You can change this behavior in your config file:

<system.web>
    <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" />
</system.web>

Or get back to .Net 2.0 validation:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
</system.web>

A very common invalid character is %, so if by any chance (attack, web-crawlers, or just some non-standard browser) the url is being escaped you get this:

www.amadeupurl.co.uk/ImageHandler.ashx/%3Fi%3D3604

instead of this:

www.amadeupurl.co.uk/ImageHandler.ashx/?i=3604

Note that %3F is the escape character for ?. The character is considered invalid by Asp.Net request validator and throws an exception:

A potentially dangerous Request.Path value was detected from the client (?).

Though in the error message you see the unescaped version of the character (%3F) which is ? again

Here's a good article on Request Validation and how to deal with it

Answer 2

Even I faced this issue but for me, I accidentally typed & instead of the ? in the URL

for example:

example.com/123123&parameter1=value1&paameter2=value2

but in actual it has to be:

example.com/123123?parameter1=value1&paameter2=value2