Click to Rate and Give Feedback
MSDN
MSDN Library
.NET Development
.NET Framework 3.5
Collapse All/Expand All Collapse All
This page is specific to
Microsoft Visual Studio 2008/.NET Framework 3.5

Other versions are also available for the following:
.NET Framework Class Library
HttpRequestValidationException Class

The exception that is thrown when a potentially malicious input string is received from the client as part of the request data. This class cannot be inherited.

Namespace:  System.Web
Assembly:  System.Web (in System.Web.dll)
Visual Basic (Declaration)
<SerializableAttribute> _
<AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level := AspNetHostingPermissionLevel.Minimal)> _
Public NotInheritable Class HttpRequestValidationException _
    Inherits HttpException
Visual Basic (Usage)
Dim instance As HttpRequestValidationException
C#
[SerializableAttribute]
[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public sealed class HttpRequestValidationException : HttpException
Visual C++
[SerializableAttribute]
[AspNetHostingPermissionAttribute(SecurityAction::LinkDemand, Level = AspNetHostingPermissionLevel::Minimal)]
public ref class HttpRequestValidationException sealed : public HttpException
JScript
public final class HttpRequestValidationException extends HttpException

Constraining and validating user input is essential in a Web application to prevent hacker attacks that rely on malicious input strings. Cross-site scripting attacks are one example of such hacks. Other types of malicious or undesired data can be passed in a request through various forms of input. By limiting the kinds of data that is passed at a low level in an application, you can prevent undesirable events, even when programmers who are using your code do not put the proper validation techniques in place.

Request validation detects potentially malicious client input and throws this exception to abort processing of the request. A request abort can indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. It is strongly recommended that your application explicitly check all input regarding request aborts. However, you can disable request validation by setting the validateRequest attribute in the @ Page directive to false, as shown in the following example:

<%@ Page validateRequest="false" %>

To disable request validation for your application, you must modify or create a Web.config file for your application and set the validateRequest attribute of the pages section to false, as shown in the following example:

<configuration> 
  <system.web> 
    <pages validateRequest="false" /> 
  </system.web> 
</configuration> 

To disable request validation for all applications on your server, you can make this modification to the Machine.config file.

NoteNote:

It is strongly recommended that your application explicitly check all inputs it uses in addition to the request validation performed by ASP.NET. The request validation feature cannot catch all attacks, especially those crafted specifically against your application logic.

The following code example demonstrates how to check for malicious user input by using an HttpRequestValidationException.

Security noteSecurity Note:

This example has a text box that accepts user input, which is a potential security threat. By default, ASP.NET Web pages validate that user input does not include script or HTML elements. For more information, see Script Exploits Overview.

Visual Basic
<%@ Page Language="VB" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<script runat="server">
    Sub Button1_Click(ByVal sender As Object, ByVal e As System.EventArgs)
        Label1.Text = txt1.Text
    End Sub
</script>

<html  >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:TextBox id="txt1" Runat="server" />
        <asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
        <br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
    </div>
    </form>
</body>
</html>
C#
<%@ Page Language="C#" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<script runat="server">
    void Button1_Click(object sender, EventArgs e)
    {
        Label1.Text = txt1.Text;
    }
</script>

<html  >
<head id="Head1" runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        <asp:TextBox id="txt1" Runat="server" />
        <asp:Button ID="Button1" Runat="server" Text="Button" OnClick="Button1_Click" />
        <br /><br />You entered: <asp:Label ID="Label1" Runat="server" Text="Label" />.
    </div>
    </form>
</body>
</html>
System..::.Object
  System..::.Exception
    System..::.SystemException
      System.Runtime.InteropServices..::.ExternalException
        System.Web..::.HttpException
          System.Web..::.HttpRequestValidationException
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0, 1.1
Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
Denial of Service for XSS Attacks      Greg Searle   |   Edit   |   Show History

A great way to discourage XSS attacks is to simply deny a response to the attacker. This keeps the attacking process waiting for a response, tying up the attacker's resources and using a sort of reverse-denial-of-service method against the attacker. Ideally this would not tie up your server's resources, since it has simply terminated the request without answering.

In real life, I have not found the best way to do this. Simply terminating the current thread does not do it, as IIS interprets this as a failure condition and returns an error response immediately to the requestor. You can place the thread to sleep indefinitely using a
"System.Threading.Thread.Sleep (System.Threading.Timeout.Infinite)" call, but this ties up your thread until IIS recycles it. This method is effective, as though it still generates an error condition, no response gets returned.

I have tested the sleep() function on a production system that routinely gets attacked, and it is working. As soon as this went into production, I have seen alternative test-posts start appearing: the criminals trying to to see if it was still "alive."

Please add to this post if you have found a better way that doesn't tie up a thread.

Tags What's this?: Add a tag
Flag as ContentBug
This is a poor solution.      Xenophile   |   Edit   |   Show History
A better solution is to "filter" the input. I am getting exceptions on a system that allows people to take surveys. It's not frequent, but it does occur where people input something like "... unfriendly staff <again>...". In this case it raises an exception and crashes the request which obviously causes frustration for the person trying to enter their feedback. So now I have to figure out how to intercept this behavior.
Tags What's this?: Add a tag
Flag as ContentBug
This is a terrible example      Stephajn Saunter   |   Edit   |   Show History
Is it just me, or does the example code shown in this article not show a THING having to do with using the exception? It looks like a simple Hello World to me. True, putting in malicious content would throw the exception, but the code shows nothing about how to parse the exception and perhaps do something useful with it such as showing the user what content it was that was rejected, etc.
Tags What's this?: Add a tag
Flag as ContentBug
Processing
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement | Site Feedback
Page view tracker