ASP.Net MVC, JS injection and System.ArgumentException - Illegal Characters in path
Posted
by Mose
on Stack Overflow
See other posts from Stack Overflow
or by Mose
Published on 2010-04-30T17:03:09Z
Indexed on
2010/04/30
17:07 UTC
Read the original article
Hit count: 294
asp.net-mvc
|hack
Hi,
In my ASP.Net MVC application, I use custom error handling. I want to perform custom actions for each error case I meet in my application.
So I override Application_Error, get the Server.GetLastError(); and do my business depending on the exception, the current user, the current URL (the application runs on many domains), the user IP, and many others.
Obviousely, the application is often the target of hackers. In almost all the case it's not a problem to detect and manage it, but for some JS URL attacks, my error handling does not perform what I want it to do. Ex (from logs) :
http://localhost:1809/Scripts/]||!o.support.htmlSerialize&&[1
When I got such an URL, an exception is raised when accessing the ConnectionStrings section in the web.config, and I can't even redirect to another URL.
It leads to a "System.ArgumentException - Illegal Characters in path, etc."
The screenshot below shows the problem : http://screencast.com/t/Y2I1YWU4
An obvious solution is to write a HTTP module to filter the urls before they reach my application, but I'd like to avoid it because :
- I like having the whole security being managed in one place (in the Application_Error() method)
- In the module I cannot access the whole data I have in the application itself (application specific data I don't want to debate here)
Questions : Did you meet this problem ? How did you manage it ?
Thanks for you suggestions,
Mose
© Stack Overflow or respective owner