#csharp
Rulesets (2)
Rules (68)
returntocorpThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exit to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name). Refer to https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html for more information on how to fiw each case.
returntocorpPotential inter-process write of RegionInfo $RI via $PIPESTREAM $P that was instantiated with a two-character culture code $REGION. Per .NET documentation, if you want to persist a RegionInfo object or communicate it between processes, you should instantiate it by using a full culture name rather than a two-letter ISO region code.
returntocorpJWT Security Token must be considered invalid if it does not have an expiration time. A JWT Security Token can be compromised, and an attacker can exploit a non-expiring token with unlimited time.
returntocorpThe HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.
returntocorpXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
returntocorpTypeNameHandling $TYPEHANDLER is unsafe and can lead to arbitrary code execution in the context of the process. Use a custom SerializationBinder whenever using a setting other than TypeNameHandling.None.
returntocorpThis code contains bidirectional (bidi) characters. While this is useful for support of right-to-left languages such as Arabic or Hebrew, it can also be used to trick language parsers into executing code in a manner that is different from how it is displayed in code editing and review tools. If this is not what you were expecting, please review this code in an editor that can reveal hidden Unicode characters.
returntocorpDouble.Epsilon is defined by .NET as the smallest value that can be added to or subtracted from a zero-value Double. It is unsuitable for equality comparisons of non-zero Double values. Furthermore, the value of Double.Epsilon is framework and processor architecture dependent. Wherever possible, developers should prefer the framework Equals() method over custom equality implementations.
returntocorpString interpolation in log message obscures the distinction between variables and the log message. Use structured logging instead, where the variables are passed as additional arguments and the interpolation is performed by the logging library. This reduces the possibility of log injection and makes it easier to search through logs.
returntocorpThe TokenValidationParameters.$LIFETIME is set to $FALSE, this means the JWT tokens lifetime is not validated. This can lead to an JWT token being used after it has expired, which has security implications. It is recommended to validate the JWT lifetime to ensure only valid tokens are used.
returntocorpValidating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.
returntocorpAccepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.
returntocorpString argument $A is used to read or write data from a file via Path.Combine without direct sanitization via Path.GetFileName. If the path is user-supplied data this can lead to path traversal.
returntocorpThe software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
returntocorpThe HSTS HTTP response security header is missing, allowing interaction and communication to be sent over the insecure HTTP protocol.
returntocorpA query string parameter may contain a URL value that could cause the web application to redirect the request to a malicious website controlled by an attacker. Make sure to sanitize this parameter sufficiently.
returntocorpDetected a formatted string in a SQL statement. This could lead to SQL injection if variables in the SQL statement are not properly sanitized. Use a prepared statements instead. You can obtain a PreparedStatement using 'SqlCommand' and 'SqlParameter'.
returntocorpSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
returntocorpSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
returntocorpSSRF is an attack vector that abuses an application to interact with the internal/external network or the machine itself.
returntocorpThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Many different options exist to fix this issue depending the use case (Application can send request only to identified and trusted applications, Application can send requests to ANY external IP address or domain name).
returntocorpStacktrace information is displayed in a non-Development environment. Accidentally disclosing sensitive stack trace information in a production environment aids an attacker in reconnaissance and information gathering.
returntocorpXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
returntocorpXmlReaderSettings found with DtdProcessing.Parse on an XmlReader handling a string argument from a public method. Enabling Document Type Definition (DTD) parsing may cause XML External Entity (XXE) injection if supplied with user-controllable data.
returntocorpLDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.
returntocorpMass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.
returntocorpA misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.
returntocorpAnonymous access shouldn't be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.
returntocorpUser-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
returntocorpUsage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
returntocorpUsage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
returntocorpYou are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
returntocorpYou are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
returntocorpAn open directory listing is potentially exposed, potentially revealing sensitive information to attackers.
returntocorpXPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.
returntocorp$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
returntocorpSending the trusted CA list increases the size of the handshake request and can leak system configuration information.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Insufficient permissions to view rule definition Upgrade to Semgrep Team tier to see this Pro rule. Visit https://semgrep.dev/pricing to learn how to upgrade.
Having the annotation [OutputCache] will disable the annotation [Authorize] for the requests following the first one.
The HttpOnly flag is not set for the cookie. An attacker could perform XSS with a malicious script.
The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session.
When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
The cipher text produced is susceptible to alteration by an adversary. The cipher provides no way to detect that the data has been tampered with. If the cipher text can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.
The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
The use of a predictable random value can lead to vulnerabilities when used in certain security critical contexts.
An attacker could send a link to the victim. By visiting the malicious link, a web page would trigger a POST request (because it is a blind attack - the attacker doesn’t see a response from triggered request and has no use from GET request and GET requests should not change a state on the server by definition) to the website. The victim would not be able to acknowledge that an action is made in the background, but his cookie would be automatically submitted if he is authenticated to the website. This attack does not require special interaction other than visiting a website.
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
Unvalidated redirects occur when an application redirects a user to a destination URL specified by a user supplied parameter that is not validated. Such vulnerabilities can be used to facilitate phishing attacks.
The highlighted API is used to execute a system command. If unfiltered input is passed to this API, it can lead to arbitrary command execution.
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
The method identified is susceptible to injection. The input should be validated and properly escaped.
The method identified is susceptible to injection. The input should be validated and properly escaped.
The method identified is susceptible to injection. The input should be validated and properly escaped.
The endpoint is potentially accessible to not authorized users. If it contains sensitive information, like log files for example, it may lead to privilege escalation.
The method identified is susceptible to injection. The input should be validated and properly escaped.
The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory..
Input validation is a first line of defence for a variety of different attacks and should be enabled per default. Please do not forget to use @Html.AntiForgeryToken() in your view.
A potential XSS was found. The endpoint returns a variable from the client input that has not been encoded. To protect against stored XSS attacks, make sure any dynamic content coming from user or data store cannot be used to inject JavaScript on a page. Most modern frameworks will escape dynamic content by default automatically (Razor for example)