Config Files Config Request Validation Disabled

Description

Detects when ASP.NET request validation has been disabled through web.config settings. Request validation is a critical security feature that helps prevent cross-site scripting (XSS) attacks by blocking potentially malicious content in HTTP requests. Disabling it exposes the application to injection attacks.

Weakness:

339 - Insecure service configuration - Request Validation

Category: Functionality Abuse

Detection Strategy

• Search for web.config files in ASP.NET applications

• Look for <system.web> configuration sections

• Check for <pages> elements that have validateRequest="false"

• Report a vulnerability when request validation is explicitly disabled

Vulnerable code example

<!-- web.config -->
<configuration>
    <system.web>
        <!-- Disabling request validation exposes app to XSS and injection attacks -->
        <pages validateRequest="false" />
        <httpRuntime enableVersionHeader="true" />
    </system.web>
</configuration>

✅ Secure code example

<!-- web.config -->
<configuration>
    <system.web>
        <!-- Enable request validation to prevent XSS and injection attacks -->
        <pages validateRequest="true" />
        <httpRuntime enableVersionHeader="false" />
    </system.web>
</configuration>

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.