Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-4564

ASP.NET HTTP request validation feature should not be disabled

    Details

    • Message:
      Enable input validation for this HttpPost method
    • Highlighting:
      Hide

      The HttpPostAttribute

      Show
      The HttpPostAttribute
    • Default Severity:
      Major
    • Impact:
      Low
    • Likelihood:
      High
    • Targeted languages:
      VB.Net
    • Covered Languages:
      C#
    • Irrelevant for Languages:
      ABAP, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Swift, T-SQL, TypeScript, VB6, XML
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      5min
    • Analysis Scope:
      Main Sources
    • CWE:
      CWE-79
    • OWASP:
      A7
    • SANS Top 25:
      Insecure Interaction Between Components

      Description

      ASP.Net has a feature to validate HTTP requests to prevent potentially dangerous content to perform a cross-site scripting (XSS) attack. There is no reason to disable this mechanism even if other checks to prevent XXS attacks are in place.

      This rule raises an issue if a method with parameters is marked with System.Web.Mvc.HttpPostAttribute and not System.Web.Mvc.ValidateInputAttribute(true).

      Noncompliant Code Example

      public class FooBarController : Controller
      {
          [HttpPost] // Noncompliant
          [ValidateInput(false)] 
          public ActionResult Purchase(string input)
          {
              return Foo(input);
          }
      
          [HttpPost] // Noncompliant
          public ActionResult PurchaseSomethingElse(string input)
          {
              return Foo(input);
          }
      }
      

      Compliant Solution

      public class FooBarController : Controller
      {
          [HttpPost]
          [ValidateInput(true)] // Compliant
          public ActionResult Purchase(string input)
          {
              return Foo(input);
          }
      }
      

      Exceptions

      Parameterless methods marked with System.Web.Mvc.HttpPostAttribute will not trigger this issue.

      See

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                alexandre.gigleux Alexandre Gigleux
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated: