Event Validation Disabled

What does this mean ?

Request validation is an ASP.NET feature that checks HTTP requests to see whether they include potentially malicious content. This check protects against malicious mark-up or code in the URL query string, cookies, or posted form data. This type of exploit is known as a cross-site scripting (XSS) attack. Request validation helps to avoid this type of attack by giving a "possibly harmful value was identified" message and stopping page execution if it discovers potentially malicious input in the request, such as mark-up or code.

What can happen ?

Cross-site scripting (XSS) attacks can occur if request validation is deactivated or incorrectly configured.

Recommendation

In general, request validation is beneficial and should be remained enabled for defense in depth. To fully safeguard your application from fraudulent input, each field of user-supplied data must be validated. In some circumstances, such as when receiving HTML mark-up from the end user, you may need to allow input that fails ASP.NET Request Validation. In these cases, you should deactivate request validation to keep the surface as minimal as possible.

Sample Code

C#

Vulnerable :

<system.web>
  ...
  <pages [..] enableEventValidation="false" [..]/>
  ...
</system.web>

Non Vulnerable :

<system.web>
  ...
  <pages [..] enableEventValidation="true" [..]/>
  ...
</system.web>

References

• https://owasp.org/www-community/ASP-NET_Request_Validation#