For these validators to be enforced, it is not necessary to
check the Page.IsValid property, as ASP.Net will do the check automatically. Fortunately for
an attacker, the default validators get in the way of many operations that developers want to do.
For example, default ASP.Net validation will block the submission of HTML tags. These tags are
used by many web applications to allow users to supply links to images within submitted content
such as message board posts.
Disabling ASP.Net??™s Default Page Validation
Popularity: 4
Simplicity: 8
Impact: 6
Risk Rating: 7
Chapter 5: .Net Security 125
Do Not Disable Page Validation
To support user scenarios such as supplying bold tags, developers often will disable ASP.
Net??™s page validation. This can be done in one of two ways: either on a machine-wide basis
by editing the machine.config, or on a page-by-page basis by setting the Validate
Request property to false. It is highly recommended that developers not disable page
validation on a machine-wide basis as this can adversely affect other applications on
the machine that may be relying on page validation for protection. Instead, if a page must
take user data, you can disable the validators specifically for that page and make sure to
validate input aggressively before placing user data directly into the response document.
Pages:
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245