Thursday, September 11, 2003

Dangers Lurking for Innocent Websites Due to Cross Site Scripting

Often this Cross Site Scripting has been talked during some site updates and been forgotten. Perhaps if you have installed .NET Framework 1.1, then Scripting and HTML tags via QueryStrings or HTML form tags are just stopped by the framework with the message similar to the following one:

A potentially dangerous Request.QueryString value was detected from the client (DocLinkUrl_Begin="javascript:window.opener...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.


Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.QueryString value was detected from the client (DocLinkUrl_Begin="javascript:window.opener...").
Of course, the framework gives an option to enable the page being exempt from this HTTP Request Validations. But it is strongly recommended to have the framework validate your requests before they are being processed by our scripts. Is'nt it?


No comments:

[Imported from Blogdrive]Online Virus Scanners

Online Virus Scanners Virus Scanners are no longer difficult to install, tedious to configure. There are easy to use Online Virus Scanne...