Potentially dangerous Request.Form in WSFederationAuthenticationModule.IsSignInResponse

Question

In my MVC3 site I've avoided setting requestValidationMode="2.0" with the new ValidateInput attribute, but now I'm trying to switch to WIF for authentication, and when the STS redirects back to my site, I'm getting the exception because WSFederationAuthenticationModule.IsSignInResponse is calling Request.Form instead of Request.Unvalidated().Form ... is there any way to deal with this without going to requestValidationMode="2.0" (which I really don't want to do).

Here's the stack trace, so you can see what I mean. My Controller's method never really gets called.

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +114
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +21
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +121
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +78
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

score 12 · Accepted Answer · answered Mar 27 '11 at 00:13

12

The correct way of dealing with this is to add specific validator to the HttpRuntime, that knows how to detect valid security tokens.

Look at any of the examples here: http://claimsid.codeplex.com/releases/view/62929

Here's an excerpt from one of those (sample #5 t be specific which is also an MVC app):

namespace FShipping
{
    using System;
    using System.Web;
    using System.Web.Util;
    using Microsoft.IdentityModel.Protocols.WSFederation;

    public class WsFederationRequestValidator : RequestValidator
    {
        protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            validationFailureIndex = 0;
            if (requestValidationSource == RequestValidationSource.Form &&
                collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
            {
                if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
                {
                    return true;
                }
            }

            return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
        }
    }
}

Here's the config:

<system.web> 
...   
   <httpRuntime requestValidationType="FShipping.WsFederationRequestValidator" />
</system.web>

answered Mar 27 '11 at 00:13

Eugenio Pace

14,094
1
34
43

1

@Euginio: Thanks for that, that information was apparently added in the [August 2, 2010 release of the "Claims Identity Guide" book](http://claimsid.codeplex.com/releases/view/50000). Will this be in official docs anytime soon? [MSDN](http://www.google.com/search?q=%2BWIF+%2BRequestValidator+site%3Amsdn.microsoft.com+-site%3Asocial.msdn.microsoft.com) and [TechNet](http://www.google.com/search?q=%2BWIF+%2BRequestValidator+site%3Atechnet.microsoft.com+-site%3Asocial.technet.microsoft.com) don't mention this at all. An update of the WIF Known Issues page seems in order, at the very least. – MarnixKlooster ReinstateMonica Mar 27 '11 at 05:55
This looks like a cleaner solution than what I had come up with, which was to set validation to 2.0 and use similar code to that snippet in Global.asax.cs Application_BeginRequest to call Request.ValidateInput() in all cases except the logon postback. – Jaykul Mar 27 '11 at 17:14
@Marnix: the first edition of the "claims identity book" is available as a free download from here: http://msdn.microsoft.com/en-us/library/ff423674.aspx The content on CodePlex (claimsid.codeplex.com) are all drafts of the 2nd edition which will be published in the next couple months. Glad to know that it worked fine! I'll ping the WIF folks so they update their docs. – Eugenio Pace Mar 27 '11 at 17:40
I'm having this problem too, but these don't fix it. Has this changed in the last six months? My custom validator is not being invoked. Is there a way to troubleshoot this? – Code Silverback Sep 30 '11 at 16:17
Did you add the proper config in web.config? – Eugenio Pace Oct 01 '11 at 21:49
1

You know, it's a real shame that validator doesn't ship in binary form instead of as a sample. :-/ – Jaykul Feb 23 '12 at 03:50
The NuGet package [WifRequestValidator](http://www.nuget.org/packages/WifRequestValidator/) implements this solution. – McX May 29 '14 at 10:46

score 2 · Answer 2 · answered Mar 26 '11 at 17:55

I think we also observed this same error at some point, but if I remember correctly that was in some experimental or test scaffolding code, so we didn't have a strict security requirement there.

The official information I could find is that this is a known issue in WIF: see the "ASP.NET Detects Passive Federation Tokens as Potential Security Attack" section at the beginning of the WIF Known Issues page. They say there to set validateRequest="false" in web.config, or the equivalent ASP.NET Page directive for doing this at page level.

So you could try setting this only in a Page directive on the 'home page' of your application, I'm not sure but that might work.

Note that they don't talk about requestValidationMode="2.0" on the WIF Known Issues page, but judging from this TechNet wiki page this additional setting is necessary for ASP.NET 4.

Hey, thanks for the link to the known issues -- it looks like WIF's just not adapted to the MVC3 and didn't have access to Validation.Unvalidated http://msdn.microsoft.com/en-us/library/system.web.helpers.validation.unvalidated%28v=vs.99%29.aspx (I'll mark this as the answer if nobody can actually give me a work around, but it makes me very sad). — Jaykul, Mar 26 '11 at 18:50

Potentially dangerous Request.Form in WSFederationAuthenticationModule.IsSignInResponse

2 Answers2

Linked