You are currently offline, waiting for your internet to reconnect

How to programmatically test for canonicalization issues with ASP.NET

This article describes how to add safeguards to an ASP.NET application to help protect against common canonicalization issues.

What is canonicalization?

Canonicalization is the process that determines how various equivalent forms of a name are resolved to a single standard name. The single standard name is also known as the canonical name. For example, on a specific computer, the names c:\dir\test.dat, test.dat, and ..\..\test.dat might all refer to the same file. Canonicalization is the process that maps such names to a name that is similar to c:\dir\test.dat.

When a URL is received by a Web server, the server maps the request to a file system path that determines the response. The canonicalization routine that is used to map the request must correctly parse the URL to avoid serving or processing unexpected content. For more information about canonicalization, visit the following Microsoft Web site: We recommend that you use best practices to help safeguard your applications. For additional information, see the following section.

Adding additional canonicalization safeguards to your Web application

Microsoft ASP.NET developers can add more checks to help reduce canonicalization issues for a Web application by adding an Application_BeginRequest event handler in their Global.asax file that is stored in the root directory of the Web application. This event handler executes for each Web request. You can add code to this event handler to help safeguard against canonicalization issues.

Code sample

The following code samples demonstrate how to add an Application_BeginRequest event handler to a Global.asax file. This event handler helps prevent invalid characters and malformed URLs by performing path verifications. Therefore, you can avoid common canonicalization issues.

Global.asax code sample (Visual Basic .NET)

<script language="vb" runat="server">Sub Application_BeginRequest(Sender as Object, E as EventArgs)    If (Request.Path.IndexOf(chr(92)) >= 0 OR _        System.IO.Path.GetFullPath(Request.PhysicalPath) <> Request.PhysicalPath) then        Throw New HttpException(404, "Not Found")    End IfEnd Sub</script>

Global.asax code sample (C#)

<script language="C#" runat="server">void Application_BeginRequest(object source, EventArgs e) {    if (Request.Path.IndexOf('\\') >= 0 ||        System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) {        throw new HttpException(404, "not found");    }}</script>


The information that is provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages. Therefore, the foregoing limitation may not apply.

Article ID: 887459 - Last Review: 12/03/2007 18:52:11 - Revision: 2.5

  • Microsoft ASP.NET 1.0
  • Microsoft ASP.NET 1.1
  • Microsoft .NET Framework 1.0
  • Microsoft .NET Framework 1.0 Service Pack 1
  • Microsoft .NET Framework 1.0 Service Pack 2
  • Microsoft .NET Framework 1.0 Service Pack 3
  • Microsoft .NET Framework 1.1
  • Microsoft .NET Framework 1.1 Service Pack 1
  • kbsecurity kbtshoot KB887459