http://weblogs.asp.net/dvravikanth/archive/tags/.NET/default.aspxTags: .NETenCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/dvravikanth/archive/2008/08/29/step-by-step-by-passing-net-validate-request.aspxFri, 29 Aug 2008 08:32:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6575143dvravikanthdvravikanth3http://weblogs.asp.net/dvravikanth/rsscomments.aspx?PostID=6575143http://weblogs.asp.net/dvravikanth/archive/2008/08/29/step-by-step-by-passing-net-validate-request.aspx#comments<FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Cross-site Scripting). The following&nbsp;paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors.<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></FONT> <P class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"></SPAN></FONT>&nbsp;</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"></SPAN></FONT>&nbsp;</P><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">Paper:<o:p></o:p></SPAN></FONT><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><o:p>&nbsp;</o:p></SPAN></FONT> <P class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><A class="" href="http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf" target=_blank mce_href="http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf">http://www.procheckup.com/PDFs/bypassing-dot-NET-ValidateRequest.pdf</A></SPAN></FONT></P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt; mso-layout-grid-align: none"><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"></SPAN></FONT>&nbsp;</P><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'"><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">The original version of this paper was released in January 2006 for private CPNI distribution. This paper has now been updated in August </SPAN></FONT><FONT face="Courier New" size=2><SPAN style="FONT-SIZE: 10pt; FONT-FAMILY: 'Courier New'">2008 to include additional materials such as input payloads that bypass the latest anti-XSS .NET patches (MS07-40) released in July 2007.<o:p></o:p></SPAN></FONT><o:p></o:p></SPAN></FONT>&nbsp;</SPAN></FONT> <P mce_keep="true">&nbsp;</P><img src="http://weblogs.asp.net/aggbug.aspx?PostID=6575143" width="1" height="1">Application SecurityValidateRequest.NET