ASP.NET input validation disabled

Description

The application disables request validation for a method by using the `[ValidateInput(false)]` attribute in a controller class. This disables ASP.NET from examining requests for injection attacks such as Cross-Site-Scripting (XSS). To fix this, re-enable validation by using `ValidateInput(true)` or ensure that request data is validated and not output directly into the view.

Examples

Insecure Code

[ValidateInput(false)]
public void SomeActionMethod()
{
}

Secure Code

[ValidateInput(true)]
public void SomeActionMethod()
{
}

Remediation

Replace `[ValidateInput(false)]` with `[ValidateInput(true)]` or implement custom validation for request data.

Rule Details

Field	Value
ID	CODE-0458
Category	InsecureConfig
Severity	MEDIUM
CWE	CWE-554
Confidence	HIGH
Impact	MEDIUM
Likelihood	MEDIUM
Exploitability	MODERATE
Tags	XSS, request validation
OWASP	A6:2017-Security Misconfiguration, A05:2021-Security Misconfiguration

Overview

SAST (Application Security)

SCA (Dependencies)

Secrets Detection

IaC Security

License Compliance

SAST Rules

IaC Rules

License Rules

ASP.NET input validation disabled

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details

SAST Rules

IaC Rules

License Rules

ASP.NET input validation disabled ​

Description ​

Examples ​

Insecure Code ​

Secure Code ​

Remediation ​

Rule Details ​

ASP.NET input validation disabled

Description

Examples

Insecure Code

Secure Code

Remediation

Rule Details