When I turn off request validation in asp.net, am I vulnerable?

Question

So I have request validation off in my web application. You can add /foo?=<script>and my web application won't catch it -it doesn't filter it-

Does this make me vulnerable to attacks; should I turn it on?

Answer 1

This depends if you are correctly encoding characters on output. For example, for HTML the < character should be encoded as <.

If you are doing this everywhere, then you can safely turn off Request Validation.

This is a better method as some character sequences can bypass RV depending on the context in which the input is later used. For example, if the value makes it into an HTML attribute value, a sequence like

" onerror="alert('xss')

will bypass it when it is inserted into

<img src="/foo.jpg" alt="<user input>" />

as this becomes

<img src="/foo.jpg" alt="" onerror="alert('xss')" />

Also, input from sources other than ASP.NET can mean that scripts can still be inserted into your application. This is why I recommend correct output encoding rather than attempting to validate input. Globally validating input is an even bigger problem as there will always be gaps when there is no option to validate context.

Answer 2

Request Validation, while helpful in some scenarios, is not considered by Microsoft to be a security boundary, so should certainly not be your only defense against attacks. That said, it is a valid tool to use for defense in depth, so you should enable it unless you have a specific reason not to.

Ultimately, you need to know what the threat model for your application looks like, so you can put thoughtful mitigations in place rather than simple turning application-wide options on or off, and hoping for the best.