Page request validation is disabled¶

ID: cs/web/request-validation-disabled
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
   - security
   - frameworks/asp.net
   - external/cwe/cwe-016
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

Request validation is a feature in ASP.NET that protects web applications against potentially malicious content in requests, specifically against cross-site scripting attacks (XSS).

Recommendation¶

Enable the directive validateRequest in your web.config file: <pages validateRequest="true" />

Example¶

The following example shows the validateRequest flag set to false in a Web.config file for ASP.NET. This will disable validation, and leave the web application vulnerable against common XSS attacks:

<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

If validateRequest is set to true, validation is enabled:

<configuration>
  <system.web>
    <pages validateRequest="true" />
  </system.web>
</configuration>

References¶

MSDN: Request Validation in ASP.NET .
Common Weakness Enumeration: CWE-16.

© GitHub, Inc.
Terms
Privacy

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.

Page request validation is disabled¶

Recommendation¶

Example¶

References¶

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.