Description

ValidateRequest is disabled on this web application. When turned on, the ValidateRequest attribute on the @Page directive checks that users are not sending potentially dangerous HTML markup in query strings, cookies, or form fields. If that is detected, an exception is thrown and the request aborts. ValidateRequest represents a good defense against XSS (cross-site scripting) and should only be disabled on individual pages. In this case ValidateRequest was globally disabled from web.config.

Remediation

You should only disable ValidateRequest on pages where users are able to post HTML code to the site for gaining better formatting options. In this case, you should limit the number of allowed HTML tags (<pre>, <b>, <i>, <p>, <br>, <hr>) and write a regular expression that ensures that nothing else is allowed or accepted.

References

Related Vulnerabilities