CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: Page request validation is disabled

Description: ASP.NET pages should not disable the built-in request validation.

ID: cs/web/request-validation-disabled

Kind: problem

Severity: warning

Query: ASPNetPagesValidateRequest.ql
/**
 * @name Page request validation is disabled
 * @description ASP.NET pages should not disable the built-in request validation.
 * @kind problem
 * @problem.severity warning
 * @id cs/web/request-validation-disabled
 * @tags security
 *       frameworks/asp.net
 *       external/cwe/cwe-16
 */

import csharp
import semmle.code.asp.WebConfig

from SystemWebXMLElement web, XMLAttribute requestvalidateAttribute
where
  requestvalidateAttribute = web.getAChild("pages").getAttribute("validateRequest") and
  requestvalidateAttribute.getValue().toLowerCase() = "false"
select requestvalidateAttribute, "The 'validateRequest' attribute is set to 'false'."

Request validation is a feature in ASP.NET that protects web applications against potentially malicious content in requests, specifically against cross-site scripting attacks (XSS).

Recommendation

Enable the directive validateRequest in your web.config file: <pages validateRequest="true" />

Example

The following example shows the validateRequest flag set to false in a Web.config file for ASP.NET. This will disable validation, and leave the web application vulnerable against common XSS attacks:

<configuration>
  <system.web>
    <pages validateRequest="false" />
  </system.web>
</configuration>

If validateRequest is set to true, validation is enabled:

<configuration>
  <system.web>
    <pages validateRequest="true" />
  </system.web>
</configuration>

References