User input models that are not strictly validated in controllers (both in ASP.NET MVC and Web API) may lead to vast amount of vulnerability types from SQL Injection to business logic problems.

Here’s an example Controller and its Post action method which doesn’t check the validity of input model.

                          
public class ProductsController : ApiController
{
[HttpPost]
public HttpResponseMessage Post(Product product)
{
// use the product; process properties, save it to database, etc.
}
}
                
            

Without any whitelist rules attackers can freely manipulate Product properties and cause for example injection type of vulnerabilities.