Geek Answers Handbook

Due to the presence of characters that are known to be used in attacks using Cross Site Scripting, access is denied

Can someone tell me where the HTTP error message comes from:

Due to the presence of characters that are known to be used in attacks on Cross Site Scripting scripts, access is denied. This website does not allow Urls, which may include embedded HTML tags.

We use dynamically generated URLs, and in this particular case the URL contains the characters '<' or '>'. We encode the URL of the generated URL (so "% 3C" appears instead of "<"), but that doesn't help.

Our setup is ASP.NET MVC / IIS 7.5 / IE8.

Strange, but it seems that the error appears only on some machines. Thus, it may be that the parameters of the Internet zone IE play a role.

+8
internet-explorer-8 asp.net-mvc
source share
2 answers

You are probably using a third-party plugin, such as SiteMinder, that tries to β€œprotect” your site from XSS attacks by rejecting HTML-encoded URLs in them.

If the error appears only on some machines and not on others, check which plugins are installed on these machines. Remove them until you find the culprit (then reinstall the rest). Try customizing this plugin to allow URLs.

Think about whether you really need plugins or not. If some servers have them and others do not, you might be better off without them.

+8
source share

As Konerak says, if you use SiteMinder, then it will return 403 and provide you with this message to prevent cross-site scripting attacks.

This solution may not be acceptable if you are working with an external site, but the easiest way to avoid this problem is to edit the LocalConfig.conf file to disable XSS checking.

This parameter is:

CSSChecking="NO"

And the file lives here:

Program Files\netegrity\webagent\bin\IIS\LocalConfig.conf

+2
source share

More articles:


All Articles