CONTRAST: Event Validation Disabled in \Content\HeaderInjection.aspx

[zencid42]

Vulnerability ID: G1KR-9BPS-W3L8-SU7F

Application Name: test

Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/5352360a-ecd4-4b7b-b40d-2e8af08acbea/vulns/G1KR-9BPS-W3L8-SU7F

What Happened?

The configuration in \Content\HeaderInjection.aspx had enableEventValidation set to false in the following section of the page directive:

1: <%@ Page Title="" Language="C#" MasterPageFile="~/Resources/Master-Pages/Site.Master" AutoEventWireup="true" CodeBehind="HeaderInjection.aspx.cs" Inherits="OWASP.WebGoat.NET.HeaderInjection" EnableEventValidation="false" %>

What's the risk?

A web.config's pages section or ASPX file's page directive has enableEventValidation set to false. ASP.NET event validation verifies that control events for a page originated from the page that includes that control. For example, event validation prevents an attacker from providing a value for a dropdown list control that was not in the original list of control values.

Recommendation

ASP.NET event validation can be enabled by changing enableEventValidation to "true", as is shown in this example:

In web.config files, <pages enableEventValidation="true" />

Event validation is enabled by default for ASPX pages. Instances of EnableEventValidation="false" in ASPX pages' page directives should be removed or set to "true".

First Event

(no event)

Last Event

(no event)

HTTP Request

(No HTTP Request)

References

http://msdn.microsoft.com/en-us/library/y123fsf7.aspx http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx