Page request validation is disabled — CodeQL query help documentation

ID: cs/web/request-validation-disabled
Kind: problem
Security severity: 7.5
Severity: warning
Precision: high
Tags:
   - security
   - frameworks/asp.net
   - external/cwe/cwe-016
Query suites:
   - csharp-code-scanning.qls
   - csharp-security-extended.qls
   - csharp-security-and-quality.qls

Click to see the query in the CodeQL repository

Request validation is a feature in ASP.NET that protects web applications against potentially malicious content in requests, specifically against cross-site scripting attacks (XSS).

Recommendation¶

Enable the directive validateRequest in your web.config file: <pages validateRequest="true" />

Example¶

The following example shows the validateRequest flag set to false in a Web.config file for ASP.NET. This will disable validation, and leave the web application vulnerable against common XSS attacks:

<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

If validateRequest is set to true, validation is enabled:

<configuration>
  <system.web>
    <pages validateRequest="true" />
  </system.web>
</configuration>

References¶

MSDN: Request Validation in ASP.NET .
Common Weakness Enumeration: CWE-16.