ASP.NET ValidateRequest does not mitigate XSS completely

As a security guy, I can safely say that there is no magic bullet to mitigate any security problems completely, and cross-site scripting(XSS) bugs are not exceptions.  Since ASP.NET 1.1, ValidateRequest can be configured in web.config to check and reject dangerous inputs, and HttpRequestValidationException is thrown before the input is even processed by your code.  For…

5

What is the maximum size of post requests to IIS?

ASP applications are protected, but what happens to non-ASP requests?  Currently, there is no limit.MaxRequestEntityAllowed is currently not set, but ASPMaxRequestEntityAllowed is set to 200k ASP is simply a type of ISAPI, so obviously, the more restrictive of the two will apply for ASP.   MaxRequestEntityAllowedhttp://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_maxrequestentityallowed.asp   ASPMaxRequestEntityAllowedhttp://msdn.microsoft.com/library/en-us/iissdk/iis/ref_mb_aspmaxrequestentityallowed.asp   Check out C:\WINDOWS\system32\inetsrv\MetaBase.xml for the values…

0