Skip to content

Event Validation Disabled

What does this mean ?

Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from mark-up or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes. This exploit is typically referred to as a cross-site scripting (XSS) attack. Request validation helps to prevent this kind of attack by throwing a “potentially dangerous value was detected” error and halting page processing if it detects input that may be malicious, such as mark-up or code in the request.

What can happen ?

If request validation is disabled or improperly validated, it can lead to cross-site scripting (XSS) attack.

Recommendation

Request validation is generally desirable and should be left enabled for defense in depth. Fully protecting your application from malicious input requires validating each field of user supplied data. In some cases you may need to accept input that will fail ASP.NET Request Validation, such as when receiving HTML mark-up from the end user. In these scenarios you should disable request validation for the smallest surface possible.

Sample Code

Vulnerable :

<system.web>
  ...
  <pages [..] enableEventValidation="false" [..]/>
  ...
</system.web>

Non Vulnerable :

<system.web>
  ...
  <pages [..] enableEventValidation="true" [..]/>
  ...
</system.web>

References :