Abstract:
Use the ASP.NET validation framework to prevent vulnerabilities that result from unchecked input.
Explanation:
Unchecked input is the leading cause of vulnerabilities in ASP.NET applications. Unchecked input leads to cross-site scripting,
process control, and SQL injection vulnerabilities, among others.
To prevent such attacks, use the ASP.NET validation framework to check all program input before it is processed by the
application.
Example uses of the validation framework include checking to ensure that:
- Phone number fields contain only valid characters in phone numbers
- Boolean values are only "T" or "F"
- Free-form strings are of a reasonable length and composition
Recommendations:
Although validation is on by default, you should make this explicit to prevent confusion by enabling the validation framework in
your Web.config file. An example of a typical setup is:
<configuration>
<system.web>
<pages validateRequest="true" />
</system.web>
</configuration>
