Request Validation Disabled

Request validation is a security feature in ASP.NET and ASP.NET MVC that helps prevent potentially dangerous content from being processed by checking user input for malicious content by default. Disabling request validation increases the risk of injection attacks.

Consider the following scenario where an XSS protection header might be disabled, leaving the application vulnerable:

In this example, the application is vulnerable to Cross-site Scripting (XSS) attacks because the protection provided by ASP.NET was disabled globally.

Also, this can be disabled locally. See this code:

In this ASP.NET Web Forms example, request validation is disabled on a specific page level, making that page susceptible to XSS, as it will not automatically filter potentially harmful inputs.

In an ASP.NET MVC application, request validation can be disabled at the action level using an attribute, potentially exposing the application to XSS:

In this MVC example, the [ValidateInput(false)] attribute disables request validation for this specific action, allowing the input comment to potentially include malicious script tags if not properly handled.

To fix the vulnerable code shown before, make sure that the XSS protection header is NOT disabled:

In addition, consider encoding input potentially taken from untrusted input before inserting in HTML code, according to the context in the HTML content:

Additionally, in MVC, ensure request validation is enabled unless there’s a specific, well-justified need to disable it, and apply robust validation and encoding where necessary.