How to protect your ASP.NET website from attacks on the Web Forms.
RdpGuard
Intrusion prevention system for your Windows Server
Follow:
Like:
Share:

ASP.NET Web Forms Protection

If you are running ASP.NET website, you may observe the thousands of the following events in the Application event log:

Validation error, dangerous Request.Form

Attacks on ASP.NET Web Forms

HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client


Event code: 3003 
Event message: A validation error has occurred. 
Event time: 7/7/2015 2:11:00 PM 
Event time (UTC): 7/7/2015 8:11:00 PM 
Event ID: 921367d8836241a483053a587c3bdcd9 
Event sequence: 6877 
Event occurrence: 2 
Event detail code: 0 
 
Application information: 
    Application domain: /LM/W3SVC/1/ROOT-6-000000000000000000
    Trust level: Full 
    Application Virtual Path: / 
    Application Path: C:\inetpub\wwwroot\website.com\ 
    Machine name: xxxxxxxxxxxxx 
 
Process information: 
    Process ID: 3276 
    Process name: w3wp.exe 
    Account name: IIS APPPOOL\Classic .NET AppPool 
 
Exception information: 
    Exception type: HttpRequestValidationException 
    Exception message: A potentially dangerous Request.Form value was detected from the client (�����楛�䛍��������Ö����� [SKIPPED]. 
 
Request information: 
    Request URL: http://website.com/index.aspx
    Request path: /index.aspx
    User host address: 5.136.158.160 
    User:  
    Is authenticated: False 
    Authentication Type:  
    Thread account name: IIS APPPOOL\Classic .NET AppPool 
 
Thread information: 
    Thread ID: 22 
    Thread account name: IIS APPPOOL\Classic .NET AppPool 
    Is impersonating: False 
    Stack trace:    at System.Web.HttpRequest.ValidateString(String s, String valueName, String collectionName)
   at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, String collectionName)
   at System.Web.HttpRequest.get_Form()
   at System.Web.HttpRequest.get_HasForm()
   at System.Web.UI.Page.GetCollectionBasedOnMethod(Boolean dontReturnNull)
   at System.Web.UI.Page.DeterminePostBackMode()
   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
   at System.Web.UI.Page.ProcessRequest()
   at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context)
   at System.Web.UI.Page.ProcessRequest(HttpContext context)
   at ASP.index_aspx.ProcessRequest(HttpContext context)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
	

Your server access logs may contain thousands of lines like below:


202.225.1.16	2015-06-28 18:58:48 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 20:00:34 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:01:19 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:01:35 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:32:18 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 20:32:49 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:00:35 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 21:02:13 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
202.225.1.16	2015-06-28 21:02:43 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:02:59 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 200 11852
202.225.1.16	2015-06-28 21:03:38 POST / - -  HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.1;+WOW64;+Trident/7.0;+SLCC2;+.NET+CLR+2.0.50727;+.NET4.0C;+.NET4.0E) - 500 3245
	

This means that someone is trying to get access to your server via asp.net web forms vulnerability. Even if you have all updates and patches installed, the server may still be at risk.

Somewhat less important, but still significant, these hacking attempts abuse your server resources - CPU, RAM, Bandwidth and even the free disk space (the logs may grow enormously).

RdpGuard will help you to stop these hacking attempts and protect your Windows Web Server.

For Windows XP, Vista, 7, 8, 8.1, 10 and Windows Server 2003 (R2), 2008 (R2), 2012 (R2), 2016


To Enable ASP.NET Web Forms Protection

1. Click Tools, Options and open the Monitoring tab:

tools-options

Click Tools, Options

2. Check Enable ASP.NET Web Forms protection

monitoring-options

RdpGuard Monitoring Options

4. Click Save. RdpGuard service will be restarted.

RdpGuard 4.2.5 Free Trial

RdpGuard protects:

Social Connection
RdpGuard Logo
 
People like RdpGuard!
Our Other Products
FastGlacier
Windows Client for Amazon Glacier - new low-cost storage for data archiving and backup.
Copyright © 2012-2017 NetSDK Software, LLC. All rights reserved.  Terms of Use.  Privacy Policy.