"A validation error has occurred".... script attacks...
-
Hi all, On my website, I have a masterpage containing a textbox used for searching the site. The other day I checked my errorlogs to see hundreds of validation errors where someone/something is tring to inject html to my search textbox on just one of the pages. It is clearly some kind of bot as when I removed the textbox briefly, the validation errors started up on another page containing a textbox. I have since added regular expression validators to my textboxes. However, I am still getting the validation errors in my logs every 3-4 minutes, making it frustratingly hard to find any other errors that I may have failed to cach and deal with. How is whatever is trauling the ages, ignoring my validators? if it's got javascript disabled, then it can't submit the textbox as it's posting back, so that's not the answer? any suggestions anyone?
-
Hi all, On my website, I have a masterpage containing a textbox used for searching the site. The other day I checked my errorlogs to see hundreds of validation errors where someone/something is tring to inject html to my search textbox on just one of the pages. It is clearly some kind of bot as when I removed the textbox briefly, the validation errors started up on another page containing a textbox. I have since added regular expression validators to my textboxes. However, I am still getting the validation errors in my logs every 3-4 minutes, making it frustratingly hard to find any other errors that I may have failed to cach and deal with. How is whatever is trauling the ages, ignoring my validators? if it's got javascript disabled, then it can't submit the textbox as it's posting back, so that's not the answer? any suggestions anyone?
markymark82 wrote:
It is clearly some kind of bot
markymark82 wrote:
if it's got javascript disabled
a bot with javascript disabled? What are you talking about? A bot is going to be using HTTP POST, what does that have to do with javascript? Sounds like you need to look at some Firewall or ISAPI filter products that are capable of interrupting bot intrusions. I don't keep up with that market so I don't really know what the current products are like.
-
markymark82 wrote:
It is clearly some kind of bot
markymark82 wrote:
if it's got javascript disabled
a bot with javascript disabled? What are you talking about? A bot is going to be using HTTP POST, what does that have to do with javascript? Sounds like you need to look at some Firewall or ISAPI filter products that are capable of interrupting bot intrusions. I don't keep up with that market so I don't really know what the current products are like.
The javascript reference was more for if something was being run through a browser, don't even know if it's possible as I've never had to deal with this before. I figured that if there is a validator associated with the control, surely it can't be posted back unless it meets validation requirements, else doesn't that negate the validator? Like I said, I've not had to deal with this before so my assuptions could be completely rubbish. Cheers for the idea though, I'll start looking into it.
-
The javascript reference was more for if something was being run through a browser, don't even know if it's possible as I've never had to deal with this before. I figured that if there is a validator associated with the control, surely it can't be posted back unless it meets validation requirements, else doesn't that negate the validator? Like I said, I've not had to deal with this before so my assuptions could be completely rubbish. Cheers for the idea though, I'll start looking into it.
Do you check for Page.IsValid on the server side?
-
Do you check for Page.IsValid on the server side?
Admitedly I'm not, would I do that in thepostback method? or in the pageload method?
-
Admitedly I'm not, would I do that in thepostback method? or in the pageload method?
It depends on how your application works i guess. Generally we end up with a 'Save' button on our pages, and we check it in the button click event, prior to processing whatever input we are given. It's a good idea to always perform this check, because (as you've found out), you can't rely on JS validation.
-
It depends on how your application works i guess. Generally we end up with a 'Save' button on our pages, and we check it in the button click event, prior to processing whatever input we are given. It's a good idea to always perform this check, because (as you've found out), you can't rely on JS validation.
Excellent, I'll try that and see how it goes. It sounds like the kind of fix I'm looking for, cheers for the replies. Mark
-
It depends on how your application works i guess. Generally we end up with a 'Save' button on our pages, and we check it in the button click event, prior to processing whatever input we are given. It's a good idea to always perform this check, because (as you've found out), you can't rely on JS validation.
Ok, so I've added that to the click event of the psting button and also to the text_changed event of the offending textbox. But then I get another 3 attempts on it, how do I force the page to be loaded from the server rather than a cached version, and will that even work if the version being attacked is a cached version, that doesn't have code in it to prevent caching. this is so frustrating, yet it has that feeling that it must be something simple. I've found the following code to put in the page load event, that I think i'd need in the master page:
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Will that make just the page always load from the server, or will all of the other objects on it (JS files, css, images etc.) be forced to load fresh aswell, I'd like these to stay cachable to reduce bandwidth. Thanks for all the help so far, much appreciated.
-
Hi all, On my website, I have a masterpage containing a textbox used for searching the site. The other day I checked my errorlogs to see hundreds of validation errors where someone/something is tring to inject html to my search textbox on just one of the pages. It is clearly some kind of bot as when I removed the textbox briefly, the validation errors started up on another page containing a textbox. I have since added regular expression validators to my textboxes. However, I am still getting the validation errors in my logs every 3-4 minutes, making it frustratingly hard to find any other errors that I may have failed to cach and deal with. How is whatever is trauling the ages, ignoring my validators? if it's got javascript disabled, then it can't submit the textbox as it's posting back, so that's not the answer? any suggestions anyone?
You can setup CAPTCHA to stop for submissions by crawlers or automated scripts. Free .NET CAPTCHA are available at- http://recaptcha.net/plugins/aspnet/[^] The page also gives you examples of how to integrate this into your form. Good luck!
Ranjit Viswakumar Professional Services Specialist http://hostmysite.com/?utm\_source=bb
-
You can setup CAPTCHA to stop for submissions by crawlers or automated scripts. Free .NET CAPTCHA are available at- http://recaptcha.net/plugins/aspnet/[^] The page also gives you examples of how to integrate this into your form. Good luck!
Ranjit Viswakumar Professional Services Specialist http://hostmysite.com/?utm\_source=bb
Thanks very much, I really appreciate it. Mark