How to protect your ASP.NET website from attacks on the Web Forms.
RdpGuard
Intrusion prevention system for your Windows Server
 
Follow:
Share:

ASP.NET Web Forms Protection

If you are running ASP.NET website, you may observe thousands of events like below in your Application event log:

Validation error, dangerous Request.Form

Attacks on ASP.NET Web Forms

HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client


Event code: 3003 
Event message: A validation error has occurred. 
Event time: 7/7/2015 2:11:00 PM 
Event time (UTC): 7/7/2015 8:11:00 PM 
Event ID: 921367d8836241a483053a587c3bdcd9 
Event sequence: 6877 
Event occurrence: 2 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/1/ROOT-6-000000000000000000
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\inetpub\wwwroot\website.com\ 
    Machine name: xxxxxxxxxxxxx 
 
Process information: 
    Process ID: 3276 
    Process name: w3wp.exe 
    Account name: IIS APPPOOL\Classic .NET AppPool 
 
Exception information: 
    Exception type: HttpRequestValidationException 
    Exception message: A potentially dangerous Request.Form value was detected from the client (?????????????????????? [SKIPPED]. 
 
Request information: 
    Request URL: http://website.com/index.aspx
    Request path: /index.aspx
    User host address: 5.136.158.160 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\Classic .NET AppPool 
 
Thread information: 
    Thread ID: 22 
    Thread account name: IIS APPPOOL\Classic .NET AppPool 
    Is impersonating: False 
    Stack trace:    at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.index_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
	

Your server access logs may contain thousands of lines like below:


202.225.1.16	2015-06-28 18:58:48 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 20:00:34 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:01:19 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:01:35 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:32:18 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:32:49 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:00:35 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 21:02:13 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 21:02:43 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:02:59 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:03:38 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
	

This means that someone is trying to get access to your server by attacking ASP.NET websites hosted on the machine. Even if you have all updates and patches installed, the server may still be at risk.

Somewhat less important, but still significant, these hacking attempts abuse your server resources - CPU, RAM, Bandwidth and even the free disk space (the logs may grow enormously).

RdpGuard may help you stop these hacking attempts and protect your Windows Web Server by blocking attackers' IP addresses.

For Windows Vista/7/8/8.1/10/11 and Windows Server 2008/2012/2016/2019/2022


To Enable ASP.NET Web Forms Protection

Start RdpGuard Dashboard and click on the link next to Web Forms

asp.net web forms protection link

Click the 'Web Forms' link

The ASP.NET Web Forms Protection Dialog will open:

asp.net web forms protection dialog

ASP.NET Web Forms Protection Dialog

Tick the Enable ASP.NET web forms protection checkbox and click Save


Custom Rules for ASP.NET Web Forms Protection

In order to protect ASP.NET web forms RdpGuard monitors the Application event log for Events with ID 1309. These events are written to the log each time .NET detects an error in web application. Sometimes these errors may indicate intrusion attempts and RdpGuard helps you block IP addresses behind these attempts.

By default RdpGuard processes 1309 Events that match the following criteria:

  • Event code: is 3003
  • Exception type: is HttpRequestValidationException
OR
  • Event code: is 3005
  • Exception type: is HttpException
  • Exception message: contains ValidateInputIfRequiredByConfig

But you may want to extend these rules to process more events that match your specific use cases and setups. And starting from version 7.8.7 RdpGuard offers this possibility.

You may now override standard detection rules to include more events for processing. Please check the rules syntax below.

Detection rules are based on the Event Data content of the events with ID 1309.

The Event Data section for event ID 1309 looks like below:

XML for Event ID 1309 (click to open full size image)

You may define custom rules to match specific Data fields in the EventData section.

Each Data field can be referenced by it's index number, like EventData1, EventData2 .. EventDataN

The rules are set of key-value pairs with wildcards support. Each rule must start from the new line.

For example:

key[equality-operator]value,key[equality-operator]value
key[equality-operator]value,key[equality-operator]value
			
Supported equality operators are: = (equal) and != (not equal)

For example:

EventData1=3003,EventData18=HttpRequestValidationException
EventData1=3005,EventData18=HttpException,EventData19=*ValidateInputIfRequiredByConfig*
			
If event details match any of the rules, the event is included into further processing, i.e. the OR operator applies to the rules

Rule may contain any number of conditions separated by comma, the event matches the rule if all conditions are match, i.e. the AND operator applies to rule conditions.

So, the example above will be interpreted as - include event if (EventData1 equals 3003 and EventData18 equals HttpRequestValidationException) OR (EventData1 equals 3005 and EventData18 equals HttpException and EventData19 contains ValidateInputIfRequiredByConfig)

RdpGuard 9.7.9 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our customers say

"This sotware is really great. It's a relief. Because my server is constantly under attack. Thanks RdpGuard" - Joaquim De Sousa Marques

"Nice product. I used to implement something similiar in a low-tech and cumbersome manner via a script called TSBlock (not mine). This makes it much easier and is well worth the pricetag for SMB's." - J. Johnson

"Absolutely amazed at your product. We are a church in the North Dallas area, and I discovered this morning multiple failed logon attempts via our Remote Access Server. A friend suggested your product, so I immediately downloaded the trial. It had a list of about five blocked IP addresses in minutes, and that was enough to lead me to push the BUY button. Over the past 10-15 minutes the list is now about thirty with at least a third being international attempts to break into our system. Thanks for a great product. You may have just saved us much grief." - John Hallford

"Love the software. RDP on our Windows servers is just ridiculous. We would block it in the router but we have lots of old-time customers that would have issues." - Scott Hirsch

"Love the software! Makes it easier than tailoring VB Scripts!!" - Nick Brennan

"It's a great product - really stopping those RDP attackers :-)" - Dave, UK

"First of all: Your application is very (!!!) useful and I like it very much securing my 2012 R2 server. RdpGuard is the best solution, I found on the market and after 10 minutes of testing it I ordered the fully-featured version. :-)" - Carsten Baltes

Our Other Products
Copyright © 2012-2024 NetSDK Software. All rights reserved.  Terms of Use.  Privacy Policy.