Summary
Acunetix 360 detected that ASP.NET ValidateRequest
is globally disabled inside of the ASP.NET application. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes.
Impact
When the ASP.NET ValidateRequest is globally disabled, that makes it easier for an attacker to perform Cross-site Scripting (XSS) attacks. If the request validation detects an input that may be malicious, such as markup or code in the request, the request validation helps to prevent this kind of attack by throwing a “potentially dangerous value was detected” error and halting page processing.
Actions To Take
ValidateRequest
should only be disabled on certain pages where, for instance, the user is expected to post HTML content. Even then, the number of allowed HTML tags should be limited.