Hi,
I did some testing and some research, and it seems like any jQuery ajax JSON request that contains suspicious data is not being caught by ASP .NET MVC request validation.
I looked into creating custom request validation, as outlined in the Security Extensibility in ASP .NET 4 (http://go.microsoft.com/fwlink/?LinkId=243046). According to the section titled 'changes to what request validation checks for', the following HTTP request values are automatically checked:
- All query-string values.
- The values of all form variables.
- The values of all cookies.
- The names of files (if any) contained in Request.Files.
- The values of Request.RawUrl, Request.Path, and Request.PathInfo.
It goes on to say:
In addition, ASP.NET 4 passes the raw values of all HTTP headers to any custom request validation implementations (see the next section), although by default ASP.NET itself does not perform any additional checks on those values.
This matches what I found when I extended the RequestValidator class and put breakpoints in my override of IsValidRequestString; for a given request, my breakpoint was hit multiple times but at no point did I see my JSON request's (http post) payload.
Is there a way to extend ASP .NET request validation to check for suspicious looking JSON in an ajax request?
Thanks,
Notre