• CodeQL query help documentation »
• CodeQL query help for C# »

Page request validation is disabled

ID: cs/web/request-validation-disabled Kind: problem Security severity: 7.5 Severity: warning Precision: high Tags: - security - frameworks/asp.net - external/cwe/cwe-16 Query suites: - csharp-code-scanning.qls - csharp-security-extended.qls - csharp-security-and-quality.qls 

Click to see the query in the CodeQL repository

Request validation is a feature in ASP.NET that protects web applications against potentially malicious content in requests, specifically against cross-site scripting attacks (XSS).

Recommendation

Enable the directive validateRequest in your web.config file: <pagesvalidateRequest="true"/>

Example

The following example shows the validateRequest flag set to false in a Web.config file for ASP.NET. This will disable validation, and leave the web application vulnerable against common XSS attacks:

<configuration> <system.web> <pages validateRequest="false" /> </system.web> </configuration> 

If validateRequest is set to true, validation is enabled:

<configuration> <system.web> <pages validateRequest="true" /> </system.web> </configuration> 

References

• MSDN: Request Validation in ASP.NET .

• Common Weakness Enumeration: CWE-16.

• © GitHub, Inc.
• Terms
• Privacy