Why ValidateRequest exist on .NET if data is encoded by the framework?

Every time I come back the data to the user, I see that .NET automatically encode data, to prevent malicious script.

So why ValidateRequest?

c#
.net

2012-04-04 07:05
by markzzz

.NET isn't doing the encoding - a well behaved browser running non-malicious code is - Damien_The_Unbeliever 2012-04-04 08:26

yes, it does : - markzzz 2012-04-04 08:33

according to asp.net: http://www.asp.net/whitepapers/request-validation this method is used to prevent some script-injection attacks .. the network is full of attackers so you should encode the data even if .NET automatically do it

2012-04-04 07:16
by bassem ala

? Can you give an example where .NET will fail on encoding? (and maybe once where it won't with ValidateRequest) - markzzz 2012-04-04 07:25

check this link : http://software-security.sans.org/blog/2011/07/22/bypassing-validaterequest-in-asp-ne - bassem ala 2012-04-04 07:28

or download this pdf file it has everything you want to know : http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CCoQFjAB&url=http%3A%2F%2Fwww.procheckup.com%2Fvulnerabilitymanager%2Fdocuments%2Fdocument1258758664%2Fbypassing-dot-NET-ValidateRequest.pdf&ei=0d7T5O9EtSW8gPoxIydDQ&usg=AFQjCNHKAR0WOMCzARewWsRqsuoVtklpA&sig2=lDY3XR5T_i3VGtJ-J4C - bassem ala 2012-04-04 09:06

But I don't mind how crack ValidateRequest. I mind why there is this control! If I wrote on a text area, in the postback it has been encoded. Yes, of course if it come from .NET literal.. - markzzz 2012-04-04 10:07

also, the problem here http://software-security.sans.org/blog/2011/07/22/bypassing-validaterequest-in-asp-net is not by validation, but I think it's a bug by SQL Server : if I write %uff1c SQL server must save it as %uff1c, it shouldnt encode it automatically :O. Or, at least, it should encode %uff1c by the encoding choosed by admi - markzzz 2012-04-04 10:14

http://stackoverflow.com/questions/10009177/validaterequest-fault-or-sql-server-bu - markzzz 2012-04-04 10:20