BV Commerce Forum
»
BV Commerce Support
»
General Support
»
A Potentially Dangerous Form Value - Error
Rank: Member
Joined: 1/30/2008(UTC)
Posts: 215
|
We're getting this every day or so now. It looks like someone is trying to enter a URL in a text box we leave for general instructions. What does this message actually mean? Is BV blocking all url entries or is something else nefarious going on? This is on our logo items site the text boxes are on most product pages. The instructions are often used to give us a nudge on special requirements. Code:
A potentially dangerous Request.Form value was detected from the client (ctl00$MainContentHolder$VariantsDisplay$inputTemplate5$InputTextBox="...ing. <a href="http://tech...").[ at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName) at System.Web.HttpRequest.get_Form() at System.Web.HttpRequest.get_HasForm() at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull) at System.Web.UI.Page.DeterminePostBackMode() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.bvmodules_producttemplates_bvc_2004_layout_product_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) ]
|
|
|
|
|
|
Rank: Member
Joined: 11/5/2003(UTC)
Posts: 2,136
Was thanked: 1 time(s) in 1 post(s)
|
This page has an good explanation of the message and describes a way of stopping the message. Be sure to heed the warning. http://www.cryer.co.uk/brian/mswinswdev/ms_vbnet_server_error_potentially_dangerous.htm |
|
|
|
|
|
|
Rank: Member
Joined: 1/30/2008(UTC)
Posts: 215
|
Andy, are we saying that in it's current form BV would not be secure with text boxes? I'm a little confused, shouldn't this be disabled by default in the application? Is it already or are there additional recommendations from BV?
|
|
|
|
|
|
Rank: Member
Joined: 8/17/2006(UTC)
Posts: 681
|
HPros,
The error that you get is a standard validation that is applied by ASP.Net to try to avoid Cross Site Scriping (XSS).
Disabling the error is very simple to do however you open your site to a bunch of potential cross site scripting issues.
The proper way to protect against this is to correctly sanitize inputs and always encode outputs and not using the HttpUtility.HtmlEncode but using the much better AntiXss.HtmlEncode method written by the Microsoft Security Team.
However BVC does not use this anywhere. Actually very few sites do this properly and it's a big issue that can create lots of different attacks on your site mostly from an attacker towards an admin.
Unless BV does a fix (which implies a very large code change) I would leave the validation in place and accept the potential errors than remove the validations.
Regards,
Corneliu. |
|
|
|
|
|
|
Rank: Member
Joined: 8/17/2006(UTC)
Posts: 681
|
Oh, I forgot, they don't try to enter a URL (e.g. http://www.blahblah.com) they try to enter HTML code: < a href=.. which your normal user would not enter anyway. That clearly looks more like an attack to me than your average user. Regards, Corneliu. |
|
|
|
|
|
|
Rank: Member
Joined: 1/30/2008(UTC)
Posts: 215
|
Corneliu, so essentially it's safe and secure just not ideal? I'd rather just have it squash any of that input entirely because as you said it's clearly non-legit.
What's bugging me is I cannot see the full address of the attempt..the bv error log truncates that data. We're can I find it in the actual application?
|
|
|
|
|
|
Rank: Member
Joined: 8/17/2006(UTC)
Posts: 681
|
You can't. It's not BV the ones that truncates it. It's the ASP and it does it for your own safety.
Regards,
Corneliu. |
|
|
|
|
|
|
Rank: Member
Joined: 1/30/2008(UTC)
Posts: 215
|
I think these are actually bots trying to find text boxes on blogs to be honest. They see a text box and try to post then move on. We don't carry card numbers online - they are immediately removed if they were ever there at all so there isn't much to grab anyway.
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.