A Potentially Dangerous Request.Path Value Was Detected from the Client (*)

A potentially dangerous Request.Path value was detected from the client (*)

The * character is not allowed in the path of the URL, but there is no problem using it in the query string:

http://localhost:3286/Search/?q=test*

It's not an encoding issue, the * character has no special meaning in an URL, so it doesn't matter if you URL encode it or not. You would need to encode it using a different scheme, and then decode it.

For example using an arbitrary character as escape character:

query = query.Replace("x", "xxx").Replace("y", "xxy").Replace("*", "xyy");

And decoding:

query = query.Replace("xyy", "*").Replace("xxy", "y").Replace("xxx", "x");

Getting A potentially dangerous Request.Path value was detected from the client (&)

While you could try these settings in config file

<system.web>
    <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

I would avoid using characters like '&' in URL path replacing them with underscores.

Getting “A potentially dangerous Request.Path value was detected from the client (&)”

It makes no difference to ASP.NET whether you encode the & symbol or not. See this answer: https://stackoverflow.com/a/12037000/134761

To allow special characters in your URL path you should modify the requestPathInvalidCharacters parameter in web.config like this:

<httpRuntime requestPathInvalidCharacters="" />

Or if you want to only allow & but disallow all other special chars:

<httpRuntime requestPathInvalidCharacters="<,>,*,%,\"/>

How to catch A potentially dangerous Request.Path value was detected from the client (:) to avoid web role crash?

The ideal behavior for it that: we catch the exception, log it and return some error messages without crashing. How should we do that?

Per my understanding, you could leverage the Application_Error event to capture unhandled exception(s) within ASP.NET. Here is my test, you could refer to it:

protected void Application_Error()
{
    HttpContext httpContext = HttpContext.Current;
    var exception=Server.GetLastError();
    var httpException = exception as HttpException ?? new HttpException(500, "Internal Server Error", exception);
    var jsonResponse = new
    {
        Message = exception.Message,
        StatusCode = httpException.GetHttpCode(),
        StackTrace=httpException.StackTrace
    };
    httpContext.Response.ContentType = "application/json";
    httpContext.Response.ContentEncoding = Encoding.UTF8;
    httpContext.Response.Write(JsonConvert.SerializeObject(jsonResponse));
    httpContext.Response.End();
}

Sample Image

Note: You could also redirect to a specific error page.

Moreover, you could leverage the customErrors in web.config and catch the error page for the specific HTTP error code. Also, you could check the HTTP status code under the Application_EndRequest event and write your custom response, details you could refer to this similar issue. Additionally, I would recommend you follow Demystifying ASP.NET MVC 5 Error Pages and Error Logging for more details about error handling.

A potentially dangerous Request.Path value was detected from the client (?)

It dawned on me why the querystring was not showing anything in our logs.
Requests that encode the "?" (%3f) will cause the exception described above to be raised, for example:

/cities/index.aspx%3flocid=4163

The encoded %3f is interpreted as part of the path, hence the exception of "A potentially dangerous Request.Path value was detected from the client (?)".

When I entered the URL shown above in a browser -- the exception is raised and the log does not contain a querystring. So I can only assume everything is functioning as it should and that the requester is encoding the ? when they should not be; basically wrecking the querystring portion of the URL.

We also have requestValidationMode="2.0" in system.web, but DO NOT make use of the requestPathInvalidCharacters (httpRuntime) setting.