ASP.NET event validation disabled
Description
The application has disabled ASP.NET event validation by setting the enableEventValidation property to false in the Page configuration. Event validation is a security mechanism that ensures postback events and callbacks originate from the server-rendered controls and have not been tampered with. Disabling this feature removes an important defense layer that prevents attackers from manipulating control values and event targets during form submissions.
Remediation
Enable event validation globally in the application's web.config file by setting enableEventValidation to true in the pages section. Remove any page-level directives that disable this setting:
In web.config:
<configuration>
<system.web>
<pages enableEventValidation="true" />
</system.web>
</configuration>Remove from individual .aspx pages:<%@ Page EnableEventValidation="false" %> <!-- Remove this -->After enabling event validation, thoroughly test all postback functionality to ensure legitimate operations work correctly. If specific pages require event validation to be disabled due to dynamic control generation, implement robust server-side input validation to verify all submitted values against expected ranges and business rules before processing.