A potentially dangerous Request.Path value was detected from the client (>).
Question

Hi guys

I am getting this error on a web application

"A potentially dangerous Request.Path value was detected from the client (>)."


I have seen a post with this but regarding a mobile application and a method POST. No solution there though.


CompiledWith=10.0.1005.2
RequestUrl: https://IPAddress/ServerName/AccountSections.php/"><script>alert(/openvas-xss-test/);</script> (Method: GET)

Thread Name:
.NET: 4.0.30319.42000


Stack:

A potentially dangerous Request.Path value was detected from the client (>).
   at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


Never seen this before.

Its happening in a production environment and it doesn't occur on any other environment.

I don't have any complaints from end users so I don't have any user feedback on this, just the error occurring on service center.


Does anyone has come through this before?

Any idea on what this could be and how to overcome it?


Regards

mvp_badge
MVP

Hi Pedro,

From the look of it, someone is testing your site for Cross-Site Scripting (XSS) vulnerabilities. You can check the client ip to know from where it came from.

And, as you can see, OutSystems blocks those accesses, so the platform is overcoming those accesses and all is good. In my opinion, you don't need to do anything about it.

Cheers,

José

Hi José.


Will dig into it and let you know what we have discovered.


Thank you for your help

This error is because you have HTML tags in your POST request . It can be an indication of a cross site scripting attack, which is why Asp.net does not allow it by default. So, you should encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning.

The solution for this error is that you should either HTML encode before submitting , or Add the following to the IIS web.config file:

<system.web>

<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />

<pages validateRequest="false" />

</system.web>

The file is located in C:\inetpub\wwwroot\web.config.





Community GuidelinesBe kind and respectful, give credit to the original source of content, and search for duplicates before posting.