Developer forum

Forum » CMS - Standard features » More information about IP bans

More information about IP bans

Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply

hi guys,

I have a situation on a project where we see a lot of security bans.

The message we see is this:

2021-02-11 17:28:36.005: A potentially dangerous Request.Path value was detected from the client (<).
System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (<).
at System.Web.HttpRequest.ValidateInputIfRequiredByConfig()
at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

My concern is that we have been implemented something wrong in the interface causing a lot of posts with unsafe characters.

Is there a way I can figure out the origin of these requests? The information in the log is not giving enough information to track it down.

Thank you,

Adrian


Replies

 
Nicolai Pedersen
Reply

Hi Adrian

Latest version, 9.10 - maybe also 9.9, includes better info on reason and url. See dump.

Screenshot_2021-02-11_172014.JPG
 
Nicolai Pedersen
Reply

From monitoring/event viewer!

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply

AWESOME!

Thank you very much.

I am running on 9.8.8 on this particular solution.

I will have to prioritize upgrade in this situation.

Thank you,

Adrian

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply

Until I majke the upgrade,

Any idea why I would get this type of ban:

86.122.27.154;2021-02-12T10:20:39;Form BAN: 
Bad form (HTTP_USER_AGENT is empty); 
Bad form (HTTP_REFERER is empty); 
Bad form (SessionID has changed between form rendering and submit - FormCH1_s); 
Bad form (Session field FormCH1_h not updated by script); 
Bad form (IP has changed from form rendering until submit - FormCH1_i); 
Bad form (missing timestamp field - ts); 
Bad form (Hidden email field (email) altered to ); 

?

This seems to occur sometimes on Login or Impersonation. I would assume the message means that one of the issues mentioned is the cause for the ban and not all of them, right?

Thank you,

Adrian

 
Nicolai Pedersen
Reply

When you submit a form with one of the 3 form antispam options enabled (https://doc.dynamicweb.com/documentation-9/platform/advanced-settings/web-and-http#3518) the form is required to have the hidden system fields on them.

This happens for create user, submit a form (forms for editors, forms for data list, item creator) and commenting. Each of these templates have a string containing markup for the hidden fields. If they are not present or if they are not posted with the forms (i.e. when you use javascript or something like that), the fields are missing and the antispam test fails. That is what you see. 

It could be the post of one of your forms - login or impersonation, on a paragraph with the usermanagement app. 

 
Adrian Ursu Dynamicweb Employee
Adrian Ursu
Reply

Hi Nicolai,

Thank you.

I will investigate further now that I know what to look for.

Thank you,
Adrian

 

You must be logged in to post in the forum