This is driving me crazy. I have a web app that is a mixture of ASP.NET MVC 3 and Classic ASP. The Classic ASP code is very old and doesn't really do much to prevent Cross-Site Scripting or any other vulnerability. In an effort to add a bit of security to the Classic ASP pages I created an IIS module that will intercept the HTTP request before it is processed by Classic ASP and triggers the ASP.NET validation of the request. Here it is:
public class RequestValidationModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.PreRequestHandlerExecute += new EventHandler(context_PreRequestHandlerExecute);
}
void context_PreRequestHandlerExecute(object sender, EventArgs e)
{
var context = HttpContext.Current;
if (context != null)
{
var request = context.Request;
if (request != null)
{
string path = request.CurrentExecutionFilePathExtension;
if(string.Equals(path, ".asp", StringComparison.OrdinalIgnoreCase))
{
//access request collections to trigger request validation
var form = request.Form;
var qs = request.QueryString;
var c = request.Cookies;
var h = request.Headers;
}
}
}
}
}
This module works beautifully. However, if a valid request is sent, the object Request.Form in the Classic ASP code is always empty! I'm not able to get any of the values submitted in the form (or querystring). As soon as I remove the Module from the web.config the request.form is populated again.
This is an ASP.NET MVC 3 app running in IIS 7.5 integrated mode. All the asp pages are in a directory inside the MVC 3 app.