Data URI and a potentially dangerous Request.Path value

Question

I have tried using a Data URI with this CSS property:

background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAA9JREFUeNpiYGBg8AUIMAAAUgBOUWVeTwAAAABJRU5ErkJggg==");

And locally it works fine. However, when I am debugging the file appears missing in chrome. If I try to navigate to it, I get: A potentially dangerous Request.Path value was detected from the client (:).

So obviously my application considers the URI for this image suspicious.

How do I get it to show? I tried relaxing the validation using:

<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false"></pages>

Ideally I wouldn't want to relax the rules too much, only enough to get these data URI images loading.

Answer 1

I would bet that the application considers the request suspicious because of the Base-64 encoded URI. Encoding malicious URLs in Base-64 is a common strategy by attackers to get URLs through front end filters that strip and/or escape URLs, and to obscure the request from any humans reading the code. XSS attacks are commonly done by getting one of these URIs stored in a database and served back to other users.

Because of the high risks of XSS these days, I would hesitate to disable the check. If you can, just use a non-encoded URI. If you can't, you should ask yourself why. If you are trying to enhance security by obfuscating the URI, do know that this is very trivial for an attacker to decode. It is not any form of encryption, just a different way to represent data.