System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client from a bot?

c# asp.net

17,056

Solution 1

One solution we had was to record these errors against the IP and block access at the application level if they submit too many.

It's not bomb proof but cut down the number we had. however it still involves engineering and processing but saves you having to faff with IIS.

However there's really little you can do. They will spam your form and blocking the IP is only a short term solution, they will hit you from multiple IP etc. Just make sure your validation is tight and you're not susceptible to things like injection attacks and ignore it, it's a fact of life these days.

We regularly get hit like this, especially from places like China.

Solution 2

In the web.config file, within the tags, insert the httpRuntime element with the attribute requestValidationMode="2.0".

Example:

<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
</configuration>

Solution 3

You can try another solution. It will redirect your page to default url (please set the page in defaultRedirect=" ") whenever such kind of errors occur.

<system.web>
    <customErrors mode="On" defaultRedirect="~/Home/Index"/>
</system.web>

So the bot will no longer be able to spam your inbox or other problems it is creating now!

Solution 4

this worked for me. I was able to remove the error by adding in the web.config file:

<httpRuntime requestValidationMode="2.0" />

The entire code:

<httpRuntime requestValidationMode="2.0" maxRequestLength="102400" />
<compilation debug="true" strict="false" explicit="true" targetFramework="4.0">

I hope this helps.

View more solutions

17,056

Paritosh

Updated on September 16, 2022

Comments

Paritosh over 1 year
We have a web application which has a search form, users are allowed to enter in some text and we limit the results based on what they enter. recently we started receiving the following error:
```
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$ContentPlaceHolder1$results_search="...967.hcpm, <a href="http://www....").
```
This error is happening throughout the day, everyday, which seems to be coming from a bot, looking at the error seems like the bot is placing html ahref links into the search field and trying to search, resulting in the error.

After searching around I see there are two ways in which we can handle this, either use Jquery or turn validateRequest to false and then use htmlencode in the code behind page. Does anyone know if the jquery code will work on a bot? I'm not sure how the bot is doing this, if it's hitting the page and clicking the button or sending a request some other way, as the button click is what causes the postback to trigger search, we use POST so nothing is send via url to the search page, the page just posts back to itself and on PostBack is when the search is done.
- Tim M. over 11 years
  
  Just ignore or block the bot? Why would you consider disabling validation (perhaps I'm missing something)?
- lboshuizen over 11 years
  
  disable validateRequest will end adding lines to your log and give the bot more freedom. Not what i call a win-win.