Don't Ignore the HttpRequestValidationException

> Doing so could be... potentially dangerous
Cover Image for Don't Ignore the HttpRequestValidationException

Overview

No Sitecore implementation would be complete without an onslaught of the log error:

System.Web.HttpRequestValidationException: A potentially dangerous ______ value was detected

Where the blank might be Request.Cookies, Request.Form, Request.Path, Request.QueryString, or Request.Url.

This class of errors is extremely common and can be caused by a variety of factors, all of which stem from the fact that an incoming request contains what .NET perceives to be potentially dangerous. It is a security feature of .NET to prevent cross-site scripting attacks and other security issues.

While many devs consider this class of errors to be a nuisance, I argue that they deserve more attention than they are given.

Error Variations

A potentially dangerous Request.Cookies value was detected from the client

A potentially dangerous Request.Form value was detected

A potentially dangerous Request.Path value was detected

A potentially dangerous Request.QueryString value was detected

A potentially dangerous Request.RawUrl value was detected

A potentially dangerous Request.Url value was detected

How to Reproduce the Issue

For whichever class of this error you are trying to reproduce, include values that contain characters such as < > -- those which are commonly used to exploit XSS vulnerabilities. While you're at it, you can also test a variety of other characters such as:

< > " ' & ; ( ) [ ] { } ^ @ _ - ~ = ' : \/ ; ! $ # & \\ , + < .

Dangerous Values vs. Non-Dangerous Values

The phrase 'potentially dangerous' implies that the inputs may or may not actually be dangerous. This is a critical distinction that can be forgotten because, almost always, the inputs are dangerous because they are triggered by malicious bots doing script-kiddy tier reconnaissance. But, there are also cases where the inputs are not dangerous.

When performing analysis, ask these key questions:

  1. Is the value actually dangerous?
  2. Who triggered the error? Was it a bot or a human?
  3. Can WAF rules be adjusted to prevent this error?
  4. What was the action that triggered the error (simple GET request, form submission, etc)?

The Most Concerning Variation: Form Values

Let's focus on this variation:

A potentially dangerous Request.Form value was detected

If you inspect the path by which this error is triggered, you may find that it corresponds with a custom form or a Sitecore form (via the path /formbuilder).

If you are seeing this error on a form path, it means that your site likely returned 500 error response and that the form submission was not processed.

What if the form submission was a contact form? A lead generation form? A newsletter signup form?

Perhaps the most interesting example is a form with password field. Presumably, users should be able to enter almost any character in a password field (including < and >). If you are seeing this error get triggered by a form value that looks like it could be a password, then one or more of the following may be true: someone can't log in, set their password, reset their password, or create an account.

Conclusion

False positives of non-dangerous values can have brutal consequences. It can result in a loss of data, a loss of customer trust, and a loss of revenue.

Adjust your WAF rules to reduce the noise from the malicious bots. Be thoughtful when composing your WAF rules so as to not block non-dangerous values. When the errors come in after those adjustments, take them seriously. They may be a sign of a larger issue.

Stay dangerous,

MG


More Stories

Cover Image for Troubleshooting 502 Responses in Azure App Services

Troubleshooting 502 Responses in Azure App Services

> App Services don't support all libraries

Cover Image for Year in Review: 2022

Year in Review: 2022

> Full steam ahead

Cover Image for NextJS: Access has been blocked by CORS policy

NextJS: Access has been blocked by CORS policy

> CORS is almost as much of a nuisance as GDPR popups

Cover Image for Sitecore Symposium 2022

Sitecore Symposium 2022

> What I'm Watching 👀

Cover Image for Tips for Applying Cumulative Sitecore XM/XP Patches and Hotfixes

Tips for Applying Cumulative Sitecore XM/XP Patches and Hotfixes

> It's probably time to overhaul your processes

Cover Image for How to Run Old Versions of Solr in a Docker Container

How to Run Old Versions of Solr in a Docker Container

> Please don't make me install another version of Solr on my local...

Cover Image for Considerations for Hosting Mail Signature Images on Vercel

Considerations for Hosting Mail Signature Images on Vercel

> Outlook is a Cache-Control disrepectoor and that's a problem

Cover Image for Hello World

Hello World

> Welcome to the show

Cover Image for Content Editor Search Bar Not Working

Content Editor Search Bar Not Working

> Sometimes it works, sometimes not

Cover Image for Security Series: App Service IP Restrictions

Security Series: App Service IP Restrictions

> How to manage IP rules "at scale" using the Azure CLI

Cover Image for Early Returns in React Components

Early Returns in React Components

> When and how should you return early in a React component?

Cover Image for Ideas For Docker up.ps1 Scripts

Ideas For Docker up.ps1 Scripts

> Because Docker can be brittle

Cover Image for On Sitecore Stack Exchange (SSE)

On Sitecore Stack Exchange (SSE)

> What I've learned, what I see, what I want to see

Cover Image for NextJS/JSS Edit Frames Before JSS v21.1.0

NextJS/JSS Edit Frames Before JSS v21.1.0

> It is possible. We have the technology.

Cover Image for Add TypeScript Type Checks to RouteData fields

Add TypeScript Type Checks to RouteData fields

> Inspired by error: Conversion of type may be a mistake because neither type sufficiently overlaps with the other.

Cover Image for Critical Security Bulletin SC2024-001-619349 Announced

Critical Security Bulletin SC2024-001-619349 Announced

> And other scintillating commentary

Cover Image for How to Run Sitecore 10.3.x in Docker on Windows 10

How to Run Sitecore 10.3.x in Docker on Windows 10

> Configs for loading useful asset images

Cover Image for SPE Script Performance & Troubleshooting

SPE Script Performance & Troubleshooting

> Script never ends or runs too slow? Get in here.

Cover Image for Azure PaaS Cache Optimization

Azure PaaS Cache Optimization

> App Services benefit greatly from proper configuration

Cover Image for Tips for Forms Implementations

Tips for Forms Implementations

> And other pro tips

Cover Image for Script: Boost SIF Certificate Expiry Days

Script: Boost SIF Certificate Expiry Days

> One simple script that definitely won't delete your system32 folder

Cover Image for NextJS: Short URL for Viewing Layout Service Response

NextJS: Short URL for Viewing Layout Service Response

> Because the default URL is 2long4me

Cover Image for Super Fast Project Builds with Visual Studio Publish

Super Fast Project Builds with Visual Studio Publish

> For when solution builds take too long

Cover Image for JSS: Reducing Bloat in Multilist Field Serialization

JSS: Reducing Bloat in Multilist Field Serialization

> Because: performance, security, and error-avoidance

Cover Image for On Sitecore Development

On Sitecore Development

> Broadly speaking

Cover Image for JSS + TypeScript Sitecore Project Tips

JSS + TypeScript Sitecore Project Tips

> New tech, new challenges

Cover Image for On Mentorship and Community Contributions

On Mentorship and Community Contributions

> Reflections and what I learned as an MVP mentor

Cover Image for Tips for New Sitecore Developers

Tips for New Sitecore Developers

> If I had more time, I would have written a shorter letter

Cover Image for Symposium 2022 Reflections

Symposium 2022 Reflections

> Sitecore is making big changes

Cover Image for NextJS: Unable to Verify the First Certificate

NextJS: Unable to Verify the First Certificate

> UNABLE_TO_VERIFY_LEAF_SIGNATURE