Description

Detects when request validation is disabled in C# applications through attributes or modifiers. Request validation is an important security feature that helps prevent malicious input and cross-site scripting (XSS) attacks. Disabling it can expose applications to injection vulnerabilities.

Detection Strategy

• Check for presence of attributes or modifiers on classes and methods

• Identify decorators that disable request validation like [ValidateInput(false)] or [RequestValidationDisabled]

• Report vulnerability when request validation disabling modifiers are found on any class or method

Vulnerable code example

using System.Web.Mvc;

public class CommentController : Controller 
{
    // VULNERABLE: Disables all request validation, allowing XSS payloads
    [ValidateInput(false)]
    [HttpPost]
    public ActionResult Submit(string content)...

✅ Secure code example

using System.Web.Mvc;
using System.Web;

public class CommentController : Controller 
{
    // Request validation is enabled by default (no ValidateInput(false))
    [HttpPost]
    public ActionResult Submit(string content)...