Handle URI hacking gracefully in ASP.NET
Posted
by asbjornu
on Stack Overflow
See other posts from Stack Overflow
or by asbjornu
Published on 2009-02-27T09:23:07Z
Indexed on
2010/03/30
13:53 UTC
Read the original article
Hit count: 770
I've written an application that handles most exceptions gracefully, with the page's design intact and a pretty error message. My application catches them all in the Page_Error
event and there adds the exception to HttpContext.Curent.Context.Items
and then does a Server.Transfer
to an Error.aspx
page. I find this to be the only viable solution in ASP.NET as there seems to be no other way to do it in a centralized and generic manner.
I also handle the Application_Error
and there I do some inspection on the exception that occurred to find out if I can handle it gracefully or not. Exceptions I've found I can handle gracefully are such that are thrown after someone hacking the URI to contain characters the .NET framework considers dangerous or basically just illegal at the file system level.
Such URIs can look like e.g.:
http://exmample.com/"illegal"
http://example.com/illegal"/
http://example.com/illegal /
(notice the space before the slash at the end of the last URI).
I'd like these URIs to respond with a "404 Not Found" and a friendly message as well as not causing any error report to be sent to avoid DDOS attack vectors and such. I have, however, not found an elegant way to catch these types of errors. What I do now is inspect the exception.TargetSite.Name
property, and if it's equal to CheckInvalidPathChars
, ValidatePath
or CheckSuspiciousPhysicalPath
, I consider it a "path validation exception" and respond with a 404.
This seems like a hack, though. First, the list of method names is probably not complete in any way and second, there's the possibility that these method names gets replaced or renamed down the line which will cause my code to break.
Does anyone have an idea how I can handle this less hard-coded and much more future-proof way?
PS: I'm using System.Web.Routing
in my application to have clean and sensible URIs, if that is of any importance to any given solution.
© Stack Overflow or respective owner