Databases
StackOverflow2013
Postsdbo
POHandle URI hacking gracefully in ASP.NET
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHandle URI hacking gracefully in ASP.NET
    text
    copied!<p>I've written an application that handles most exceptions gracefully, with the page's design intact and a pretty error message. My application catches them all in the <code>Page_Error</code> event and there adds the exception to <code>HttpContext.Curent.Context.Items</code> and then does a <code>Server.Transfer</code> to an <code>Error.aspx</code> page. I find this to be the only viable solution in ASP.NET as there seems to be no other way to do it in a centralized and generic manner.</p> <p>I also handle the <code>Application_Error</code> and there I do some inspection on the exception that occurred to find out if I can handle it gracefully or not. Exceptions I've found I can handle gracefully are such that are thrown after someone hacking the URI to contain characters the .NET framework considers dangerous or basically just illegal at the file system level.</p> <p>Such URIs can look like e.g.:</p> <ul> <li><code>http://exmample.com/"illegal"</code></li> <li><code>http://example.com/illegal"/</code></li> <li><code>http://example.com/illegal /</code></li> </ul> <p>(notice the space before the slash at the end of the last URI).</p> <p>I'd like these URIs to respond with a "404 Not Found" and a friendly message as well as not causing any error report to be sent to avoid DDOS attack vectors and such. I have, however, not found an elegant way to catch these types of errors. What I do now is inspect the <code>exception.TargetSite.Name</code> property, and if it's equal to <code>CheckInvalidPathChars</code>, <code>ValidatePath</code> or <code>CheckSuspiciousPhysicalPath</code>, I consider it a "path validation exception" and respond with a 404.</p> <p>This seems like a hack, though. First, the list of method names is probably not complete in any way and second, there's the possibility that these method names gets replaced or renamed down the line which will cause my code to break.</p> <p>Does anyone have an idea how I can handle this less hard-coded and much more future-proof way?</p> <p>PS: I'm using <code>System.Web.Routing</code> in my application to have clean and sensible URIs, if that is of any importance to any given solution.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload