h3mm3's blog

Stories from behind the keyboard

  • RSS
  • Twitter

ASP.NET WebPages, a.k.a. WebMatrix web sites, are built upon the ASP.NET stack and, as a consequence, they are subjected to the so-called ”request validation”.

In effect ASP.NET provides a basic anti-XSS form validation service, preventing an user to insert HTML/Javascript code inside HTML fields. Within a WebMatrix project, you can bypass this kind of validation by using the Unvalidated(..) extension method defined in System.Web.Helpers.Validation.

For instance, if you want to read a field named “atext” and skip the request validation, you can write:

//Reading a form value and skipping the detection of dangerous-strings..

var value = Request.Unvalidated("atext"); //"atext" is the name of the form field

On the contrary, if you try to read a value using the classic indexer (e.g. calling Request["atext"]) or by similar methods – like accessing the Form collection), the code will implicitly invoke the private method HttpRequest.ValidateString(..). The standard behavior of ValidateString(..) is to prevent dangerous input, by invoking the internal static method CrossSiteScriptingValidation.IsDangerousString(..). The method is defined like this:

//The CrossSiteScriptingValidation.IsDangerousString(..) method:
internal static bool IsDangerousString(string s, out int matchIndex)
  //returns true if the string is considered to be "dangerous"

If the method returns true, the calling code - e.g. HttpRequest.ValidateString() - will throw an HttpRequestValidationException exception.

Happy programming!

No comments: