Request validation has been disabled for a component of the application. Possibilities include:
A web.config file has validateRequest set to false (<pages validateRequest="false" />)
An ASPX page has ValidateRequest="false" in the page directive (<%@ Page ValidateRequest="false" ...)
An MVC Controller action has [ValidateInput(false)] attribute
ASP.NET Request Validation helps prevent several types of attacks including XSS by detecting potentially dangerous character sequences.
Recommendation
Enable request validation for the application and each of its components.
Request Validation can be enabled in web.config by changing the pages configuration section's validateRequest value to "true", as is shown in this example: <pages validateRequest="true" />.
Request Validation for ASPX pages is inherited from the web.config setting by default. Enable request validation in web.config and remove instances of ValidateRequest="false" from ASPX pages' page directives.
Request Validation for MVC Controller actions is inherited from the web.config setting by default. Enable request validation in web.config and remove the [ValidateInput(false)] attribute from controller actions.
Vulnerability ID: W1II-3EBL-DFZU-OY6T
Application Name: test
Vulnerability Link: https://apptwo.contrastsecurity.com/Contrast/static/ng/index.html#/6119fcd6-5a74-48e8-aff8-092520138ef3/applications/5352360a-ecd4-4b7b-b40d-2e8af08acbea/vulns/W1II-3EBL-DFZU-OY6T
What Happened?
The configuration in \WebGoatCoins\ProductDetails.aspx had ValidateRequest set to false in the following section of the page directive:
1: <%@ Page Title="" Language="C#" ValidateRequest="false" MasterPageFile="~/Resources/Master-Pages/Site.Master" AutoEventWireup="true" CodeBehind="ProductDetails.aspx.cs" Inherits="OWASP.WebGoat.NET.WebGoatCoins.ProductDetails" %>
What's the risk?
Request validation has been disabled for a component of the application. Possibilities include:
ASP.NET Request Validation helps prevent several types of attacks including XSS by detecting potentially dangerous character sequences.
Recommendation
Enable request validation for the application and each of its components.
First Event
(no event)Last Event
(no event)HTTP Request
(No HTTP Request)
References
http://msdn.microsoft.com/en-us/library/hh882339.aspx