Under the .NET Handler, querystring content is pre-filtered for potential cross-site scripting attacks. If it detects suspicious characters, it stops the request and we get a warning like this:
Unknown application error<p>A potentially dangerous Request.QueryString value was detected from the client.
It then echoes back the offending string. (e.g. "
Unfortunately, a number of security scanners (most notably QualysGuard) see that reflected payload string as a sign of a successful penetration. That results in a security report with dozens of pages flagged as vulnerable to XSS, which of course alarms our customers.
Is there any way to modify that filter behavior, either to prevent it from displaying the string, or to sanitize the dangerous characters?
--stein
That's actually coming from IIS not from the handler - the request filtering module is part of the ASP.NET pipeline.
What is the actual response? That's a perfectly legal response to a failure, so if that's what the scanners are picking up they're not doing their job. The text might be returned but it's encoded so no XSS potential.
+++ Rick ---