Invicti detected that ASP.NET ValidateRequest is globally disabled inside of the ASP.NET application. This check adds protection from markup or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes.

When the ASP.NET ValidateRequest is globally disabled, that makes it easier for an attacker to perform Cross-site Scripting (XSS) attacks. If the request validation detects an input that may be malicious, such as markup or code in the request, the request validation helps to prevent this kind of attack by throwing a “potentially dangerous value was detected” error and halting page processing.

ValidateRequest should only be disabled on certain pages where, for instance, the user is expected to post HTML content. Even then, the number of allowed HTML tags should be limited.