Summary

Acunetix 360 detected that ASP.NET ValidateRequest is globally disabled inside of the ASP.NET application. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes.

Impact

When the ASP.NET ValidateRequest is globally disabled, that makes it easier for an attacker to perform Cross-site Scripting (XSS) attacks. If the request validation detects an input that may be malicious, such as markup or code in the request, the request validation helps to prevent this kind of attack by throwing a “potentially dangerous value was detected” error and halting page processing.

Actions To Take

ValidateRequest should only be disabled on certain pages where, for instance, the user is expected to post HTML content. Even then, the number of allowed HTML tags should be limited.

Severity

Medium

Classification

CWE-16 OWASP 2013-A5 OWASP 2017-A6