ASP.NET implements a method to verify that every postback comes from the corresponding control, which is called EventValidation. In some cases the developers disable this kind of verifications by adding EnableEventValidation=”false” to the .aspx file header, or in the web.config or system.config files. This plugin finds pages that have event validation disabled. In some cases, if you analyze the logic of the program and event validation is disabled, you’ll be able to bypass authorizations or some other controls.

Plugin type



This plugin doesn’t have any user configured options.


For more information about this plugin and the associated tests, there’s always the source code to understand exactly what’s under the hood:
github-logoPlugin source code
Unittest source code


This plugin has no dependencies.