All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.sonar.plugins.csharp.S5753.html Maven / Gradle / Ivy

There is a newer version: 10.2.0.105762
Show newest version

ASP.NET 1.1+ comes with a feature called Request Validation, preventing the server to accept content containing un-encoded HTML. This feature comes as a first protection layer against Cross-Site Scripting (XSS) attacks and act as a simple Web Application Firewall (WAF) rejecting requests potentially containing malicious content.

While this feature is not a silver bullet to prevent all XSS attacks, it helps to catch basic ones. It will for example prevent <script type="text/javascript" src="https://malicious.domain/payload.js"> to reach your Controller.

Note: Request Validation feature being only available for ASP.NET, no Security Hotspot is raised on ASP.NET Core applications.

Ask Yourself Whether

  • the developer doesn’t know the impact to deactivate the Request Validation feature
  • the web application accepts user-supplied data
  • all user-supplied data are not validated

There is a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

  • Activate the Request Validation feature for all HTTP requests

Sensitive Code Example

At Controller level:

[ValidateInput(false)]
public ActionResult Welcome(string name)
{
  ...
}

At application level, configured in the Web.config file:

<configuration>
   <system.web>
      <pages validateRequest="false" />
      ...
      <httpRuntime requestValidationMode="0.0" />
   </system.web>
</configuration>

Compliant Solution

At Controller level:

[ValidateInput(true)]
public ActionResult Welcome(string name)
{
  ...
}

or

public ActionResult Welcome(string name)
{
  ...
}

At application level, configured in the Web.config file:

<configuration>
   <system.web>
      <pages validateRequest="true" />
      ...
      <httpRuntime requestValidationMode="4.5" />
   </system.web>
</configuration>

See





© 2015 - 2024 Weber Informatics LLC | Privacy Policy