ASP.NET Misconfiguration: Improper Model Validation
This vulnerability occurs when an ASP.NET application either completely bypasses the built-in model validation system or implements it incorrectly, allowing untrusted data to flow into the application without proper checks.
ASP.NET provides a powerful framework for automatically validating user input against your data models, checking for required fields, data types, formats, and custom rules. When developers skip this step—by not using validation attributes like [Required] or [Range], or by disabling validation for specific actions—the application accepts raw, unfiltered input. This creates a direct pipeline for malicious or malformed data into your business logic and data layers, undermining all subsequent security checks. Failing to use proper model validation forces you to manually check every piece of incoming data in your controller code, which is error-prone and often inconsistent. The core risk is that attackers can submit crafted requests containing unexpected values, types, or structures that your application isn't designed to handle, potentially leading to data corruption, logic flaws, or injection attacks. Always enable and correctly configure model validation as your first line of defense; it's a centralized, declarative way to ensure data integrity before any processing begins.
Impact: Unexpected State
Unchecked input leads to cross-site scripting, process control, and SQL injection vulnerabilities, among others.