In my line of work I am often given the solution before the problem, that is to suggest, well meaning engineers often pass on suggestions for problems they have found. Today's example included avoiding some errors we were seeing by setting the ValidateRequest flag to false in the Web.Config file.

For example, when the Validate Request flag is set false you are able to send scripts to the server as follows.

image

The ValidateRequest flag is design to mitigate the problems of cross site scripting (XSS) and produce a much more defensive response to script injections as follows.

image

Now to be safer all headers, cookies, query strings, form fields and hidden fields should be verified for invalid characters and character sequences by the developer regardless of what this flag is set, also if this flag needs to be modified it should be done on a page by page basis and with extreme caution.

Technorati tags: ,