ASP.NET applications ship with requestValidationMode enabled by default as it consists of built-in validations to protect against code injections. It is not recommended to set it to other value different than 4.5 as doing so will disable some or all protections for HTTP requests. This check belongs to the category CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.
This issue is still commonly found in ASP.NET applications and CVEs caused by this usually get labeled as code injection vulnerabilities:
xcorail
commented
4 years ago
Report
ASP.NET applications ship with
requestValidationModeenabled by default as it consists of built-in validations to protect against code injections. It is not recommended to set it to other value different than 4.5 as doing so will disable some or all protections for HTTP requests. This check belongs to the category CWE-016 which didn't exist previously in QL and corresponds to common insecure configurations.This issue is still commonly found in ASP.NET applications and CVEs caused by this usually get labeled as code injection vulnerabilities:
CodeQL query PR: https://github.com/Semmle/ql/pull/2356