Bypassing ASP .NET "ValidateRequest" for Script Injection Attacks
The Microsoft .NET framework comes with a request validation feature, configurable by the ValidateRequest setting. ValidateRequest has been a feature of ASP.NET since version 1.1. This feature consists of a series of filters, designed to prevent classic web input validation attacks such as HTML injection and XSS (Crosssite Scripting). This paper introduces script injection payloads that bypass ASP .NET web validation filters and also details the trial-and-error procedure that was followed to reverse-engineer such filters by analyzing .NET debug errors. It is worth noting that the techniques included in this paper are meant to be used when ValidateRequest is enabled, which is the default setting of ASP .NET. ValidateRequest can be enabled or disabled on a per-page basis or as an application-wide configuration.