We started to get multiple such errors daily, appearing in the Event Log:
Invalid JSON primitive: alihack. at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializePrimitiveObject() at System.Web.Script.Serialization.JavaScriptObjectDeserializer.DeserializeInternal(Int32 depth) at System.Web.Script.Serialization.JavaScriptObjectDeserializer.BasicDeserialize(String input, Int32 depthLimit, JavaScriptSerializer serializer) at System.Web.Script.Serialization.JavaScriptSerializer.Deserialize(JavaScriptSerializer serializer, String input, Type type, Int32 depthLimit) at System.Web.Mvc.JsonValueProviderFactory.GetDeserializedObject(ControllerContext controllerContext) at System.Web.Mvc.JsonValueProviderFactory.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ValueProviderFactoryCollection.GetValueProvider(ControllerContext controllerContext) at System.Web.Mvc.ControllerBase.get_ValueProvider() at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass21.b__19(AsyncCallback asyncCallback, Object asyncState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult
1.CallBeginDelegate(AsyncCallback callback, Object callbackState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase
1.Begin(AsyncCallback callback, Object state, Int32 timeout) at System.Web.Mvc.Async.AsyncControllerActionInvoker.BeginInvokeAction(ControllerContext controllerContext, String actionName, AsyncCallback callback, Object state) at System.Web.Mvc.Controller.b__1c(AsyncCallback asyncCallback, Object asyncState, ExecuteCoreState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid1.CallBeginDelegate(AsyncCallback callback, Object callbackState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase
1.Begin(AsyncCallback callback, Object state, Int32 timeout) at System.Web.Mvc.Controller.BeginExecuteCore(AsyncCallback callback, Object state) at System.Web.Mvc.Controller.b__14(AsyncCallback asyncCallback, Object callbackState, Controller controller) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid1.CallBeginDelegate(AsyncCallback callback, Object callbackState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase
1.Begin(AsyncCallback callback, Object state, Int32 timeout) at System.Web.Mvc.Controller.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) at System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.BeginExecute(RequestContext requestContext, AsyncCallback callback, Object state) at System.Web.Mvc.MvcHandler.b__4(AsyncCallback asyncCallback, Object asyncState, ProcessRequestState innerState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncVoid1.CallBeginDelegate(AsyncCallback callback, Object callbackState) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResultBase
1.Begin(AsyncCallback callback, Object state, Int32 timeout) at System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) at System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) at System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) at Orchard.Mvc.Routes.ShellRoute.HttpAsyncHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
The requests go to http://example.com/ali.txt. There should be something else in the request's payload since simply opening this URL correctly results in a 404.
Is this something to worry about? Can I, should I prevent such an error from happening and instead return a Bad Request for example? Why is this de-serialization happening in the first place?
This issue is a duplicate of (JSON::ParserError) "{N}: unexpected token at 'alihack<%eval request(\"alihack.com\")%> but for a different server (IIS).
If your site does not use PUT requests you can simply deny all of those by using <requestFiltering />
.
<configuration>
<system.webServer>
<security>
<requestFiltering>
<verbs applyToWebDAV="false">
<add verb="PUT" allowed="false" />
</verbs>
</requestFiltering>
</security>
</system.webServer>
</configuration>
Otherwise a more elegant solution can be archieved with the url rewrite module (can be installed with the Web Platform Installer):
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="Abort requests to ali.txt - alihack" patternSyntax="Wildcard" stopProcessing="true">
<match url="ali.txt" />
<conditions />
<action type="AbortRequest" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>