http://blogs.msdn.com/esiu/archive/tags/IIS/default.aspxTags: IISen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/esiu/archive/2007/10/19/asp-net-validaterequest-does-not-mitigate-xss-completely.aspxSat, 20 Oct 2007 00:26:17 GMT91d46819-8472-40ad-a661-2c78acb4018c:5529155esiu5http://blogs.msdn.com/esiu/comments/5529155.aspxhttp://blogs.msdn.com/esiu/commentrss.aspx?PostID=5529155<p>As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.&nbsp; Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and <a href="http://msdn2.microsoft.com/en-us/library/system.web.httprequestvalidationexception(vs.80).aspx">HttpRequestValidationException</a>&nbsp;is thrown before the input is even processed by your code.&nbsp; For example, <em>&lt;script&gt;</em> would be caught by ValidateRequest.</p> <p>During my security reviews, I routinely find that many web applications turn on ValidateRequest (It is on by default), and do not follow XSS mitigation techniques, such as output encoding by HTMLEncode or <a href="http://msdn2.microsoft.com/en-us/library/aa973813.aspx">ACE Anti-XSS library</a>.&nbsp; They believe that ValidateRequest can fix all XSS problems.</p> <p>However, there are a couple downsides of relying on ValidateRequest:<br>1. ValidateRequest may miss some crafty inputs.&nbsp; Please read MS07-040 for <a href="http://www.microsoft.com/technet/security/Bulletin/MS07-040.mspx">a recent MSRC fix</a> on ValidateRequest.</p> <p>2. ValidateRequest cannot be turned on in all cases, as characters that trigger XSS may also be needed in valid user scenarios.&nbsp; For example, AJAX transmits XML blobs between client and server,&nbsp;but ValidateRequest will throw <a href="http://msdn2.microsoft.com/en-us/library/system.web.httprequestvalidationexception(vs.80).aspx">HttpRequestValidationException</a>&nbsp;as it contains "dangerous" characters, such as &lt; and &gt;.&nbsp; Exchange 2007 OWA cannot run with ValidateRequest turned on.&nbsp; </p> <p>In conclusion, ValidateRequest should be turned on if it does not block valid user scenarios.&nbsp; However, even with ValidateRequest turned on, it MUST not be regarded as a sure-fire way to mitigate XSS.&nbsp; Please read <a title="http://msdn2.microsoft.com/en-us/library/ms998274.aspx" href="http://msdn2.microsoft.com/en-us/library/ms998274.aspx">http://msdn2.microsoft.com/en-us/library/ms998274.aspx</a>&nbsp;for full XSS mitigation.</p><img src="http://blogs.msdn.com/aggbug.aspx?PostID=5529155" width="1" height="1">IISSecurityhttp://blogs.msdn.com/esiu/archive/2004/11/18/266018.aspxThu, 18 Nov 2004 23:33:00 GMT91d46819-8472-40ad-a661-2c78acb4018c:266018esiu0http://blogs.msdn.com/esiu/comments/266018.aspxhttp://blogs.msdn.com/esiu/commentrss.aspx?PostID=266018<div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2">ASP applications are protected, but what happens to non-ASP requests?&nbsp; Currently, there is no limit.<br />MaxRequestEntityAllowed is currently not set, but ASPMaxRequestEntityAllowed is set to 200k</font></span></div> <div dir="ltr" align="left"><span class="834351823"><span class="834351823"><font face="Arial" size="2">ASP is simply a type of ISAPI, so obviously, the more restrictive of the two will apply for ASP.</font></span></span></div> <div dir="ltr" align="left"><span class="834351823"><span class="834351823"><font face="Arial" size="2"></font></span></span>&nbsp;</div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2">MaxRequestEntityAllowed<br /><a href="http://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_maxrequestentityallowed.asp"><font size="3">http://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_maxrequestentityallowed.asp</font></a></font></span></div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2"></font></span>&nbsp;</div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2">ASPMaxRequestEntityAllowed<br /><a href="http://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_aspmaxrequestentityallowed.asp"><font size="3">http://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_aspmaxrequestentityallowed.asp</font></a></font></span></div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2"></font></span>&nbsp;</div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2">Check out C:\WINDOWS\system32\inetsrv\MetaBase.xml for the values on your box.</font></span></div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" color="#0000ff" size="2"></font></span>&nbsp;</div> <div dir="ltr" align="left"><span class="834351823"><font face="Arial" size="2">You cannot POST to a static file, so limit is effectively 0.</font></span></div><img src="http://blogs.msdn.com/aggbug.aspx?PostID=266018" width="1" height="1">IIS