Description

Detects when request validation is disabled in C# applications through code attributes or configurations. Request validation is an important security feature that helps prevent cross-site scripting (XSS) and injection attacks by validating incoming HTTP requests. Disabling this protection makes applications vulnerable to malicious input.

Detection Strategy

• Identifies C# code elements that have modifier attributes

• Checks for attributes or configurations that disable request validation (like [ValidateInput(false)] or [RequestValidation(false)])

• Reports a vulnerability when request validation is explicitly disabled through these attributes

• Examines class-level and method-level declarations for validation disabling modifiers

Vulnerable code example

using System.Web.Mvc;

public class UserController : Controller
{
    [HttpPost]
    [ValidateInput(false)]  // VULNERABLE: Disables ALL request validation, allowing XSS attacks
    public ActionResult Submit(string userInput)
    {...

✅ Secure code example

using System.Web.Mvc;
using System.Web;

public class UserController : Controller
{
    [HttpPost]
    // Remove ValidateInput(false) to enable default request validation
    public ActionResult Submit(string userInput)...