WebApp Sec mailing list archives
ASP.NET default input validation
From: "Mark K. Murdock" <mark.murdock () lanternsec com>
Date: Wed, 21 Mar 2007 21:49:16 -0500
Has anyone identified a way to pass a "<script" string through the default form/cookie/query validation in ASP.NET 2.0? I'm referring to the validation performed on input unless ValidateRequest="false" is defined in the page directive, web.config, or machine.config file. We've tried a variety of encodings but haven't found one yet that doesn't throw an HttpRequestValidationException. Thanks, Mark ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008fHP --------------------------------------------------------------------------
Current thread:
- ASP.NET default input validation Mark K. Murdock (Mar 22)