问题
I'm using WebForm
I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:
'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E
I got Server Error in '/' Application.
A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).
I have in the web.config
<httpRuntime enableVersionHeader="false"/>
<customErrors mode="On" defaultRedirect="~/Error/GeneralError.aspx">
<error statusCode="404" redirect="~/Error/PageNotFound.aspx" />
<error statusCode="403" redirect="~/Error/GeneralError.aspx" />
<error statusCode="500" redirect="~/Error/GeneralError.aspx" />
</customErrors>
..................
<pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">
Any idea how can I correct that?
回答1:
Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.
Please look into the post from Scot Hanselman
http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx
来源:https://stackoverflow.com/questions/20009815/a-potentially-dangerous-request-querystring-value-was-detected-from-the-client