WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

ASP.NET default input validation

From: "Mark K. Murdock" <mark.murdock () lanternsec com>
Date: Wed, 21 Mar 2007 21:49:16 -0500
Has anyone identified a way to pass a "<script" string through the
default form/cookie/query validation in ASP.NET 2.0?  I'm referring to
the validation performed on input unless ValidateRequest="false" is
defined in the page directive, web.config, or machine.config file.
We've tried a variety of encodings but haven't found one yet that
doesn't throw an HttpRequestValidationException.

Thanks,
Mark

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC. Download a
free trial of AppScan today and see why more customers choose AppScan
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008fHP
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: