Ravikanth's Blog

Happenings around Me

Disclaimer

India MVP Blogs

Mugh blogs

My

My Favorites

My Network Places

Step by Step - By passing .NET Validate Request

The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). The following paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.

 

 

Paper: 

http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf

 

The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August 2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007. 

 

Comments

traslochi milano said:

Wow nice information you have here.Thanks for sharing

# November 27, 2009 12:41 AM

pocket cell phone jammer said:

And how about adding some more images?  I’m not trying to offend anyone, blog is really great. But as I’ve heard humans acquire info much more effective if they see certain helpful illustrations.

Lenny Page

# May 13, 2010 8:26 PM

weblogs.asp.net said:

Step by step by passing net validate request.. Bully :)

# May 28, 2011 8:46 PM