ASP.Net MVC, JS injection and System.ArgumentException - Illegal Characters in path

Posted by Mose on Stack Overflow See other posts from Stack Overflow or by Mose
Published on 2010-04-30T17:03:09Z Indexed on 2010/04/30 17:07 UTC
Read the original article Hit count: 286

Filed under:
|

Hi,

In my ASP.Net MVC application, I use custom error handling. I want to perform custom actions for each error case I meet in my application.

So I override Application_Error, get the Server.GetLastError(); and do my business depending on the exception, the current user, the current URL (the application runs on many domains), the user IP, and many others.

Obviousely, the application is often the target of hackers. In almost all the case it's not a problem to detect and manage it, but for some JS URL attacks, my error handling does not perform what I want it to do. Ex (from logs) :

http://localhost:1809/Scripts/]||!o.support.htmlSerialize&&[1

When I got such an URL, an exception is raised when accessing the ConnectionStrings section in the web.config, and I can't even redirect to another URL.

It leads to a "System.ArgumentException - Illegal Characters in path, etc."

The screenshot below shows the problem : http://screencast.com/t/Y2I1YWU4

An obvious solution is to write a HTTP module to filter the urls before they reach my application, but I'd like to avoid it because :

  • I like having the whole security being managed in one place (in the Application_Error() method)
  • In the module I cannot access the whole data I have in the application itself (application specific data I don't want to debate here)

Questions : Did you meet this problem ? How did you manage it ?

Thanks for you suggestions,

Mose

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about hack