Is there any risk of submitting form with HTML?

Asked

Viewed 162 times

6

When inserting the text: Em 19 de maio de 2015 16:48, <asdfsadf> escreveu: and send the form I generated the following error:

A potentially Dangerous Request.Form value was Detected from the client (ctl00$Contentplaceholder1$tbObservacao="...o Pedrosa < asdfsadf

The text was identified as HTML and dangerous by Asp.Net which prevented the form from being submitted, which seems to me the problem lies in this passage <asdfsadf>. I added ValidateRequest = "false" my page Aspx which disables this validation, but I’ve been a little put off on the effects it might have.

My doubts would be:

  1. There is some risk of submitting form with HTML?
  2. If yes which?
html form security-guard
  • 2

    Yes, there is risk. Basically: you will save this content in the bank and at some point will render a page to show it to the user. As the page will be being generated in the server context, ASP.NET instructions previously injected and now retrieved from the database can read sensitive data on the server and send them along with the page generated for the malicious user.

  • @Caffe would not dare answer?

  • I would like to answer but at the moment I can not - I was passing :-) If nothing appears, who knows later. Good luck there!

  • @Caffé Tranquilo.

1 answer

7


ASP.NET, by default, validates whether there are HTML elements and other special characters in the data sent by the server. The reason for this is protection against vulnerabilities such as HTML Injections and Script Injections.

HTML injections can have many bad consequences, including access to user cookies, allowing the attacker to impersonate another user or modify the content of the page seen by the victims.

An injection of HTML can lead to exploitation of a more serious vulnerability which is the XSS (Cross Site Scripting). A XSS attack occurs when the attacker is able to use a web application to send malicious scripts to other users. The user’s browser has no way of knowing that the script is unreliable and so it runs it. Considering that the script came from a reliable source, this script can access cookies, session keys and other sensitive information of the user who accesses that site.

All these injections can be avoided by validating the content sent in the request and ASP.NET already does this for you when setting up ValidateRequest is on. Be aware of the fact that this setting can be done per page, by Web.Config (for entire application) and even by control (ValidateRequestMode="Disabled|Enabled|Inherit").

Read more about it in:

  • 1

    Thanks for the links, I’ll take a look.

  • 1

    I’m studying information security and decide to come back here, sensational the answer, basically covered everything I studied.

  • 1

    Thanks! I hope you help more people.

  • 1

    @Marcusvinicius maybe a lot later, but what if I have a field only that will come HTML. Do I have to release the full page anyway? If I know my field may have HTML but only it, what’s the other way to do it, if not with validaterequest

  • 1

    @Leandrodemellofagundes, no. Since . NET 4.5 there is a property ValidateRequestMode which allows this configuration at the control level. Read more on https://docs.microsoft.com/en-us/dotnet/api/system.web.ui.control.validaterequestmode?view=netframework-4.7.2

Browser other questions tagged html form security-guard

You are not signed in. Login or sign up in order to post.