AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Disabled Request Validation

The attacker can tamper HTTP parameters and trigger certain attack vectors by bypassing framework internal validation

Severity

High

Fix Cost

Low

Trust Level

High

There are input validation strategies used for security;

  • Whitelisting
  • Blacklisting
  • Sanitization
  • Encoding

ASP.NET has an internal and enabled by default security filter that does use of blacklisting against incoming HTTP requests. This security filter is called Request Validation and whenever a request contains a blacklisted rule (such as, a parameter value starts with a < character) then it triggers an error instead of going into the application.

Since it’s blacklisting sometimes this mechanism produces false positives. Meaning the legal input gets caught and returns error messages to valid users. Then it may seem logical to disable request validation. However if the application doesn’t have any solid input validation strategy implemented, then the last defence (blacklisting), albeit a weak one, is also get shutdown. This may leave application open to various syntactic vulnerabilities.

            
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration> 
                 
            

The event validation can also be disabled in aspx pages individually;

            
< @ Page validateRequest="false" % >
                
            

Request validation is disabled using annotations in code in ASP.NET MVC applications;

            
[HttpPost]
[ValidateInput(false)]
public ActionResult Edit(string comment)
{
// ...
return View(comment);
}
                   
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!