Hi guys
I am getting this error on a web application
"A potentially dangerous Request.Path value was detected from the client (>)."
I have seen a post with this but regarding a mobile application and a method POST. No solution there though.
CompiledWith=10.0.1005.2RequestUrl: https://IPAddress/ServerName/AccountSections.php/"><script>alert(/openvas-xss-test/);</script> (Method: GET)Thread Name:.NET: 4.0.30319.42000
Stack:
A potentially dangerous Request.Path value was detected from the client (>). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Never seen this before.
Its happening in a production environment and it doesn't occur on any other environment.
I don't have any complaints from end users so I don't have any user feedback on this, just the error occurring on service center.
Does anyone has come through this before?
Any idea on what this could be and how to overcome it?
Regards
Hi Pedro,
From the look of it, someone is testing your site for Cross-Site Scripting (XSS) vulnerabilities. You can check the client ip to know from where it came from.
And, as you can see, OutSystems blocks those accesses, so the platform is overcoming those accesses and all is good. In my opinion, you don't need to do anything about it.
Cheers,
José
Hi José.
Will dig into it and let you know what we have discovered.
Thank you for your help
This error is because you have HTML tags in your POST request . It can be an indication of a cross site scripting attack, which is why Asp.net does not allow it by default. So, you should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning.
The solution for this error is that you should either HTML encode before submitting , or Add the following to the IIS web.config file:
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
The file is located in C:\inetpub\wwwroot\web.config.
For future readers, I had this in a traditional web application when the user uploaded a file with a % character in the filename. Removing this character from the filename fixed the issue.
I have seen this thread today and people already responded correctly that changes could be done in "web.config" file, but that will be in root directly of application, in which respective page / item exist.
But in Out Systems, we don't have direct access to web.config file. Thus, OS has given a module "Factory Configuration". There you may create an XSLT script as shared configuration to include desired changes in any application web.config file.
But you should do it, if you really need to exclude item from validation and also you need data on page / UI as actual content and don't want to encode it.
Mobile Applications are somehow same like web application for Out Systems at first level in backend publishing and are working on IIS, that's why mobile application could get impact of "ValidateRequest" functionality of ASP.Net.
I hope, this response could help anyone.