从客户端检测到有潜在危险的Request.QueryString值

本文介绍了从客户端检测到有潜在危险的Request.QueryString值的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！ 问题描述

我使用的WebForm

I'm using WebForm

我在做安全测试，以我的网站，但是当我试图通过URL查询字符串，如：

I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:

' - > netsparker（0x00286A）   mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E

我在'/'应用了服务器错误。

I got Server Error in '/' Application.

一个潜在危险的Request.QueryString值从检测   客户从客户端检测到有潜在危险的Request的值（>）。

A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).

我在web.config

I have in the web.config

<httpRuntime enableVersionHeader="false"/> <customErrors mode="On" defaultRedirect="~/Error/GeneralError.aspx"> <error statusCode="404" redirect="~/Error/PageNotFound.aspx" /> <error statusCode="403" redirect="~/Error/GeneralError.aspx" /> <error statusCode="500" redirect="~/Error/GeneralError.aspx" /> </customErrors> .................. <pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">

任何想法，我该怎么纠正？

Any idea how can I correct that?

推荐答案

您错误是由于违反了建在ASP平台的安全规则。这些规则prevent注入和跨站脚本攻击。如果您正在使用MVC有一个方便的AntiForgeryToken，可以照顾这个给你。

Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.

请看看来自斯科特Hanselman的

Please look into the post from Scot Hanselman

www.hanselman/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx