Environment:
IIS 8.5
.NET Framework Version: 4.6.2 (using WebForms)
Windows Server 2012 R2
Problem:
The following exception is being reported:
BASE EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
BASE EXCEPTION HRESUT: -2147467259
EXCEPTION: System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (?).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)
Other information shown in our logs:
PATH_INFO
/cities/index.aspx?locid=4163
----
QUERY_STRING
----
REMOTE_ADDR
66.249.65.204
----
REMOTE_HOST
66.249.65.204
----
REQUEST_METHOD
GET
----
SCRIPT_NAME
/cities/index.aspx?locid=4163
----
URL
/cities/index.aspx?locid=4163
----
HTTP_FROM
googlebot(at)googlebot.com
----
HTTP_USER_AGENT
Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
What I do not understand is if I cut and paste the path in my browser, the page is rendered just fine and without error.
Questions:
- Why does googlebot, when crawling the page produce this error, yet no error is generated when I enter the path in a browser? (I do find it odd that the error log shows no value for the query string, even though it is present).
- Why is the "?" character considered potentially dangerous?
Any advice would be appreciated as I am trying to understand how this particular "error" is being raised when the path is in fact valid.
Thanks in advance.
Best Answer
From Asp.net 4.0+ introduced a strict validation, so what ever error you are seeing might be the part of it . there are certain dangerouss characters in the url which might cause XSS attack . so
?
is one among them. remaining characters are as follows:Probably there might be two solutions
you can allow these characters in your URL , or atleast certain character ,by configuring the following configuration in
web config
as follows<system.web> <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" /> </system.web>
You can roll back to asp.net 2.0 , with the following configuration
<system.web> <httpRuntime requestValidationMode="2.0" /> </system.web>