Reputation: 21
Bypassing ASP.NET "validaterequest" for stored XSS attack
Lots of research has been done but I have not had any success. I have already checked the following links and many more.
http://blog.diniscruz.com/2014/06/bypassing-aspnet-request-validation.html
Is there any way that how to bypass asp validation request for storing XSS attack.?
In above link, unicode characters are to be inserted and then popup on rendering time.
Is there any possibilities to execute script by unicode characters?
Upvotes: 1
Views: 2855
Answers (1)
Reputation: 8017
If your requirement is to bypass ASP.NET ValidateRequest functionality which is by default enabled for ASP.NET; then in the aspx page directive add the validateRequest attribute and set it to false. Se the code below:
<pages validateRequest="false" />
If your requirement is to make the input string XSS safe, encode the input string:
HttpUtility.UrlEncode(inputString);
Upvotes: 1
Related Questions
- Preventing XSS in ASP.Net Webforms: why is Validate Request not enough?
- How to prevent XSS attack from the ASP
- How can I prevent XSS attack in Asp.net Webforms?
- ASP.NET MVC XSS Validation
- Bypassing query string validation (XSS prevention) in ASP.NET
- Acceptable security: Disable ValidateRequest with Paramatised SQL and HTML Encoded Strings?
- HttpRequestValidationException and cross-site scripting XSS
- Why isn't ValidateRequest="true" enough for XSS prevention?
- ASP.NET: Looking for solution to solve XSS
- asp.net sanitizing user input