A potentially dangerous Request.Form value was detected from the client XXX

Question

Yesterday my application went down and when I checked the log folder I found out the error log file size was about 5 MB.

I suspect someone attacked my site.

These are the errors I found:

A potentially dangerous Request.Form value was detected from the client (hdn_rr="1'"()&%<ScRiPt >prompt(9964...").

---

Invalid JSON primitive: mNPPaqUT.

---

Unterminated string passed in. (2): '"

---

Invalid JSON primitive: select pg_sleep(9);

---

Invalid JSON primitive: response.write

---

Invalid JSON primitive:  OR 3+185-185-1=0+0+0+1 --

---

How can I stop and prevent these types of attacks?

Answer 1

Unfortunately there is no silver bullet. From the error messages it seems like you were targeted for injection and XSS. Sounds like IIS stopped XSS for you and hopefully injection didn't effect you or your users. Probably as a side effect, it seems DOS (Denial-of-service) happened too when your site went down.

Here are some links I found looking at the OWASP project documents:

• XSS prevention cheat sheet provides tips about using output escaping/encoding.

• Similarly SQL injection cheat sheet has recommendations for Parameterized Queries and Escaping all User Input.

As for DOS: dealing with this sort of automated attack requires network level measurements (e.g. blocking blacklisted traffic) and you should work with your provider to prevent them from happening. (or you can move to a provider like CloudFlare -not affiliated, just heard the name a lot, who are know to employ good security measures and so on)

Another general suggestion is (if you already don't have it) to set up a reverse proxy infront of your web servers. Nginx and HAproxy are two popular products for this purpose. I wouldn't do any kind of IP based or other network level prevention in your application but these reverse proxy setups usually have modules and configuration for a few of these scenarios.

Answer 2

I think this is the million dollar question... you might devise an approach that may guard against such an attack, but there might be new ones every day.

One approach is to "throttle" the requests from a particular source. For instance, if connection an with IP address of 10.10.8.23 is making more than the "reasonable amount" of requests (and optionally failing), then stop accepting requests from that IP for a period of time.

This can be handled as a module, in global.asx, or some other method you deem appropriate, however there are a suite of network malware tools that make this significantly easier and don't require coding.

Answer 3

It seems some one tried to Time Based SQL Injection attacks but you said that log file's size about 5 MB. That means attacker used automated vulnerability scanner like Netsparker or Acunetix. Those application generated a lot of HTTP request at the time and this cause 5 MB log size. If you look timestamp of logs, I believe there will be almost 50-100 http request logged in 10 sec which is can not be generated by human.

"A potentially dangerous Request.Form value was detected from the client" this error comes from IIS. Because IIS can be able to detect XSS payloads by analyzing each http request. When it flagged one of them as malicious, IIS generates that log and drop the request before it arrive application layer.

To be sure about your application is secure or not, you can paste here source code of related controllers and models and I will analyze it for you. But if you can say that "I use prepared statement or MVC without inline query." I can say that you app secure against SQL Injection attacks.

In conclusion, it seems your application crashed or stoped responding because of high HTTP traffic. SQL Injection or XSS attacks can lead to data leakage or be thread against clients. But those type of attacks rarely can crash application except Overflow attacks against CGI apps.