Search code examples
asp.netsecuritywebformsxssglimpse

Why does Glimpse disable request validation?

I'm found that request validation was not working on my PC, which meant it's behaving differently to our live web servers. After some experimentation it seems Glimpse is the cause (the version with Glimpse has not yet gone live, which is why the live servers were working normally).

e.g. this malicious URL:

http://website/?foo=<script>

...should cause the following error:

A potentially dangerous Request.QueryString value was detected from the client (foo="<script>").

However once Glimpse is registered in web.config "modules" section, the request validation doesn't happen (even when Glimpse is turned off), leaving the website open to cross site scripting attacks (XSS).

If I remove the line which registers Glimpse, then request validation immediately works normally: In in IIS 7.5 this is as follows:

<system.webServer>
    <modules>
        <add name="Glimpse" type="Glimpse.AspNet.HttpModule, Glimpse.AspNet" preCondition="integratedMode" />
    </modules>

Is there a way I can fix this, or is this a bug in Glimpse?

Update 1:

I've now verified the problem happens if I do a fresh install of Glimpse into an unrelated project (running ASP.NET 4.5.1), so it is not an incompatibility with the original project. I did not change any settings, I simply installed it from NuGet and the problem was immediately apparent.

I've also noticed I turn glimpse off by setting <glimpse defaultRuntimePolicy="Off" /> in Web.config, then the request validation also then kicks in as normal.

Solution

  • The way that request validation works in ASP.NET is that the input is validated and an exception thrown only for the first call to Request.RawUrl, Request.QueryString, and so on. Glimpse looks up the query string early on in the request (from RequestMetadata.get_RequestIsAjax) and swallows the exception, so future calls to Request.QueryString in the same request context will not be validated.

    FWIW, the ASP.NET team has disowned request validation. See https://learn.microsoft.com/en-us/aspnet/aspnet/overview/web-development-best-practices/what-not-to-do-in-aspnet-and-what-to-do-instead#validation for more information.