Language: C# | Type: VULNERABILITY | Severity: Major
Tags: cwe, former-hotspot
ASP.NET 1.1+ comes with a Request Validation feature that rejects requests containing un-encoded HTML, acting as a first layer of protection against Cross-Site Scripting (XSS) attacks.
While this feature is not a silver bullet against all XSS attacks, it catches basic injection attempts and should not be disabled. Output encoding of user-supplied content remains necessary as a defense in depth.
| Note | Request Validation is only available for ASP.NET. This rule does not raise issues on ASP.NET Core applications, which do not have this feature. |
Request Validation intercepts requests that contain potentially malicious HTML before they reach the application’s controller or handlers. When
disabled — either via the ValidateInput attribute on a controller action or via validateRequest="false" /
requestValidationMode="0.0" in the Web.config file — user-supplied content is no longer screened, removing this protection
layer. This rule flags any configuration that explicitly turns off Request Validation.
Without Request Validation, an attacker can submit requests containing raw HTML or JavaScript that the application then reflects back to other users without encoding. This enables Cross-Site Scripting (XSS) attacks that can steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim.
At Controller level:
[ValidateInput(false)] // Noncompliant
public ActionResult Welcome(string name)
{
...
}
[ValidateInput(true)]
public ActionResult Welcome(string name)
{
...
}
At application level, configured in the Web.config file:
<configuration>
<system.web>
<pages validateRequest="false" /> <!-- Noncompliant -->
...
<httpRuntime requestValidationMode="0.0" /> <!-- Noncompliant -->
</system.web>
</configuration>
<configuration>
<system.web>
<pages validateRequest="true" />
...
<httpRuntime requestValidationMode="4.5" />
</system.web>
</configuration>