"A potentially dangerous Request.Form value was detected from the client" before page load

StackOverflow https://stackoverflow.com/questions/20687959

  •  19-09-2022
  •  | 
  •  

Question

I know this has been asked a LOT of times, but I am really struggling having tried a lot of different potential solutions.

I have a c# ASP.net website page. There is a form on there with a submit button. all code is in the code behind page.

We do not get any spam submitted through the form because I have a capture element. Yet - spam bots have are scanning the page, getting the field names and posting straight to the page.

I only know this because I set the Application_Error to report any errors by email to me (in global.asax).

I have tried changing my field names - but they just pick up the new fields.

I have put <httpRuntime requestValidationMode="2.0" /> in the web.config.

In my page, I have EnableEventValidation="False"

But - as I said, the problem isn't allowing html in the post data, it's trying to stop spam bots from submitting DIRECTLY to the page. It's being triggered (I think) before the page even loads.

I'm running out of ideas here! I am blocking ip ranges every 10 minutes on our firewall. I cannot keep doing that!

Thanks for any help!

Was it helpful?

Solution

This is what you do: ignore it. Blocking IPs will just keep you running around in circles and is ultimately a waste of time.

If spam is not actually being submitted then you really don't have a problem. The framework is doing exactly what it is supposed to be doing.

Quite frankly, I wouldn't bother investigating an error message like that unless it was preventing an actual user from doing what they need to do.

If you really just want the errors to go away then you need to do the following:

  1. Set EnableEventValidation="true"
  2. Set ValidateRequest="false"

EnableEventValidate tells .net to see if the post came from clicking on a control that it had rendered. This should help prevent direct posts.

ValidateRequest tells .net whether to test the inputs for html and other "dangerous" characters. Turning it off will stop your error message.

If you are simply trying to get spammers to stop hitting your site: close the site down. As that is the ONLY reliable way of keeping a spammer off of it.

OTHER TIPS

Have you tried a honeypot field?

Create an input field in your markup, but don't display it on the page. You can use css or other methods to hide it from users, as long as it still shows up in your page source.

Then, in your code-behind, check that the field is empty before processing anything. You know your real users can't see the field, or enter anything in it. Therefore if that field was filled in, you know that it was from a bot scanning your page, and you can ignore all the rest.

The idea is that spam bots can't resist filling in fields, but most aren't smart enough to determine if the field is actually visible in a browser, so you trick them into giving themselves away by filling in something they shouldn't.

FWIW, I've used this approach personally with decent success.

However, if ASP is rejecting the submissions and causing an error, that's a different problem. Do you need legitimate users to be able to submit markup in the field? If you don't, the framework is actually doing the right thing by protecting your site. In that case, I would just check for that particular error in your Application_Error method and ignore it.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top