← back to index

S5753 — ASP.NET Request Validation should not be disabled

Language: VB.NET  |  Type: VULNERABILITY  |  Severity: Major

Tags: cwe, former-hotspot

ASP.NET 1.1+ comes with a Request Validation feature that rejects requests containing un-encoded HTML, acting as a first layer of protection against Cross-Site Scripting (XSS) attacks.

While this feature is not a silver bullet against all XSS attacks, it catches basic injection attempts and should not be disabled. Output encoding of user-supplied content remains necessary as a defense in depth.

Note Request Validation is only available for ASP.NET. This rule does not raise issues on ASP.NET Core applications, which do not have this feature.

Why is this an issue?

Request Validation intercepts requests that contain potentially malicious HTML before they reach the application’s controller or handlers. When disabled — either via the ValidateInput attribute on a controller action or via validateRequest="false" / requestValidationMode="0.0" in the Web.config file — user-supplied content is no longer screened, removing this protection layer. This rule flags any configuration that explicitly turns off Request Validation.

What is the potential impact?

Without Request Validation, an attacker can submit requests containing raw HTML or JavaScript that the application then reflects back to other users without encoding. This enables Cross-Site Scripting (XSS) attacks that can steal session cookies, redirect users to malicious sites, or perform actions on behalf of the victim.

How to fix it

Code examples

At Controller level:

Noncompliant code example

<ValidateInput(False)> ' Noncompliant
Public Function Welcome(Name As String) As ActionResult
  ...
End Function

Compliant solution

<ValidateInput(True)>
Public Function Welcome(Name As String) As ActionResult
  ...
End Function

At application level, configured in the Web.config file:

Noncompliant code example

<configuration>
   <system.web>
      <pages validateRequest="false" /> <!-- Noncompliant -->
      ...
      <httpRuntime requestValidationMode="0.0" /> <!-- Noncompliant -->
   </system.web>
</configuration>

Compliant solution

<configuration>
   <system.web>
      <pages validateRequest="true" />
      ...
      <httpRuntime requestValidationMode="4.5" />
   </system.web>
</configuration>

Resources

Documentation

Articles & blog posts

Standards