c# - ASP.NET request validation causes: is there a list?

Question

is anybody aware of a list of exactly what triggers ASP.NET's HttpRequestValidationException? [This is behind the common error: "A potentially dangerous Request.Form value was detected," etc.]

I've checked here, around the Web, and MSDN Library but can't find this documented. I'm aware of some ways to generate the error, but would like to have a complete list so I can guard against and selectively circumvent it (I know how to disable request validation for a page, but this isn't an option in this case).

Is it a case of "security through obscurity"?

Thanks.

[Note: Scripts won't load for me in IE8 (as described frequently in the Meta forum) so I won't be able to "Add comment."]

EDIT 1: Hi Oded, are you aware of a list that documents the conditions used to determine a "potentially malicious input string"? That's what I'm looking for.

EDIT 2: @Chris Pebble: Yeah, what you said. :)

Answer 1

I couldn't find a document outlining a conclusive list, but looking through Reflector and doing some analysis on use of HttpRequestValidationException, it looks like validation errors on the following can cause the request validation to fail:

• A filename in one of the files POSTed to an upload.
• The incoming request raw URL.
• The value portion of the name/value pair from any of the incoming cookies.
• The value portion of the name/value pair from any of the fields coming in through GET/POST.

The question, then, is "what qualifies one of these things as a dangerous input?" That seems to happen during an internal method System.Web.CrossSiteScriptingValidation.IsDangerousString(string, out int) which looks like it decides this way:

1. Look for < or & in the value. If it's not there, or if it's the last character in the value, then the value is OK.
2. If the & character is in a &# sequence (e.g.,   for a non-breaking space), it's a "dangerous string."
3. If the < character is part of <x (where "x" is any alphabetic character a-z), <!, </, or <?, it's a "dangerous string."
4. Failing all of that, the value is OK.

The System.Web.CrossSiteScriptingValidation type seems to have other methods in it for determining if things are dangerous URLs or valid JavaScript IDs, but those don't appear, at least through Reflector analysis, to result in throwing HttpRequestValidationExceptions.