-
Notifications
You must be signed in to change notification settings - Fork 1
/
rules.htm
287 lines (208 loc) · 12.1 KB
/
rules.htm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
<!DOCTYPE html>
<html lang="en">
<head>
<title>Rules - Roslyn Security Guard</title>
<meta charset="utf-8">
<link href="css/bootstrap.min.css" media="screen" rel="stylesheet">
<link href="css/bootstrap-theme.min.css" media="screen" rel="stylesheet">
<link href="//fonts.googleapis.com/css?family=Ubuntu:400,500,700,400italic" rel="stylesheet" type="text/css">
<link href="css/font-awesome.min.css" media="screen" rel="stylesheet">
<!-- Custom styles -->
<link href="css/styles.css" media="screen" rel="stylesheet">
<!-- Mobile support -->
<meta content="width=device-width, initial-scale=1" name="viewport">
<meta property="og:locale" content="en_US" />
<meta property="og:type" content="website" />
<meta property="og:title" content="Roslyn Security Guard" />
<meta property="og:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
<meta property="og:site_name" content="Roslyn Security Guard" />
<meta name="twitter:card" content="summary" />
<meta name="twitter:description" content="Security Guard is a set of Roslyn analyzers that aim to help security audits on .NET applications." />
<meta name="twitter:title" content="Roslyn Security Guard" />
<meta name="keywords" content="security,owasp,csharp,c#,vb,.net,dotnet,asp.net,mvc,scanner,vulnerability,injection" />
<!-- IE 6-8 support of HTML 5 elements -->
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<![endif]-->
<script type="text/javascript">
window.location.href = "https://security-code-scan.github.io/#Rules";
</script>
</head>
<body>
<a id="skippy" class="sr-only sr-only-focusable" href="#content"><div class="container"><span class="skiplink-text">Skip to main content</span></div></a>
<header class="navbar navbar-default navbar-fixed-top" id="top" role="banner">
<div class="container">
<div class="navbar-header">
<button class="navbar-toggle collapsed" type="button" data-toggle="collapse" data-target="#vertx-navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
<a href="/" class="navbar-brand"><img alt="Security Guard Logo" src="images/logo-small.png"></a>
</div>
<nav class="collapse navbar-collapse" id="vertx-navbar-collapse">
<ul class="nav navbar-nav navbar-right">
<li><a href="index.htm">Download</a></li>
<li><a href="#comingsoon">Tutorial</a></li>
<li><a href="rules.htm">Rules</a></li>
</ul>
</nav>
</div>
</header>
<div class="index-header jumbotron jumbotron-ad hidden-print">
<div class="container">
<h1><i class="fa fa-bug"></i> Rules</h1>
<div class="header-text">The rules are various bug patterns that can be found by the analyzers.</div>
</div>
</div>
<section id="rules" class="rules-list">
<div class="container highlight highlight-left">
<a name="SG0017"></a>
<h3>Request validation is disabled</h3>
<p>Request validation is disabled. Request validation allows the filtering of some XSS patterns submitted to the application.</p> <a href="SG0017.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0016"></a>
<h3>Controller method is vulnerable to CSRF</h3>
<p>The annotation [ValidateAntiForgeryToken] is missing.</p> <a href="SG0016.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0015"></a>
<h3>Hardcoded password</h3>
<p>The password configuration to this API appears to be hardcoded. It is suggest to externalized configuration such as password to avoid leakage of secret information.</p> <a href="SG0015.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0014"></a>
<h3>Potential SQL injection</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0014.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0013"></a>
<h3>Weak cipher mode</h3>
<p>The ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.</p> <a href="SG0013.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0012"></a>
<h3>ECB mode is weak</h3>
<p>ECB mode will produce the same result for identical blocks (ie: 16 bytes for AES). An attacker could be able to guess the encrypted message. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.</p> <a href="SG0012.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0011"></a>
<h3>CBC mode is weak</h3>
<p>This specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding.</p> <a href="SG0011.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0010"></a>
<h3>Weak cipher algorithm</h3>
<p>DES/3DES is not considered a strong cipher for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES/3DES.</p> <a href="SG0010.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0019"></a>
<h3>OutputCache annotation is disabling authorization checks</h3>
<p>Having the annotation [OutputCache] will disable the annotation [Authorize] for the requests following the first one.</p> <a href="SG0019.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0018"></a>
<h3>Path traversal</h3>
<p>The file path passed to this API is susceptible to Path traversal attacks. With a malicious relative path, an attacker could reach a secret file.</p> <a href="SG0018.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0027"></a>
<h3>Potential SQL injection with WebControls</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0027.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0024"></a>
<h3>View state mac is disabled (Future)</h3>
<p>View state mac is disabled. The view state could be altered by an attacker. (This feature cannot be disabled in the recent version of ASP.net)</p> <a href="SG0024.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0003"></a>
<h3>Potential XPath injection with XmlDocument</h3>
<p>The dynamic value passed to the XPath query should be validated</p> <a href="SG0003.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0004"></a>
<h3>Certificate Validation has been disabled</h3>
<p>Certificate Validation has been disabled. The communication could be intercepted.</p> <a href="SG0004.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0005"></a>
<h3>Weak random generator</h3>
<p>The random numbers generated could be predicted.</p> <a href="SG0005.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0006"></a>
<h3>Weak hashing function</h3>
<p>MD5/SHA1 is no longer considered a strong hashing algorithim for password storage and signature generation.</p> <a href="SG0006.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0007"></a>
<h3>XML parsing vulnerable to XXE</h3>
<p>The XML parser is configured incorrectly. The operation could be vulnerable to XML eXternal Entity (XXE) processing.</p> <a href="SG0007.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0008"></a>
<h3>The cookie is missing security flag Secure</h3>
<p>It is recommended to specify the Secure flag to new cookie.</p> <a href="SG0008.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0009"></a>
<h3>The cookie is missing security flag HttpOnly</h3>
<p>It is recommended to specify the HttpOnly flag to new cookie.</p> <a href="SG0009.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0028"></a>
<h3>Potential SQL injection with SqlUtility</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0028.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0029"></a>
<h3>Potential XSS vulnerability</h3>
<p>The endpoint returns a variable from the client input that has not been encoded.</p> <a href="SG0029.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0026"></a>
<h3>Potential SQL injection with MsSQL Data Provider</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0026.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0001"></a>
<h3>Potential command injection with Process.Start</h3>
<p>The dynamic value passed to the command execution should be validated.</p> <a href="SG0001.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0002"></a>
<h3>Potential SQL injection with LINQ API</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0002.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0025"></a>
<h3>Potential SQL injection with Odbc API</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0025.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0022"></a>
<h3>Event validation is disabled</h3>
<p>Event validation is disabled. The integrity of client-side control will not be validated on postback.</p> <a href="SG0022.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0023"></a>
<h3>View state is not encrypted (Future)</h3>
<p>View state is not encrypted. Controls may leak sensitive data that could be read client-side.</p> <a href="SG0023.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0020"></a>
<h3>Potential SQL injection with OleDb API</h3>
<p>The dynamic value passed in the SQL query should be validated.</p> <a href="SG0020.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
<a name="SG0021"></a>
<h3>Request validation has been disabled (Future)</h3>
<p>Request validation, which provided additionnal protection against Cross-Site Scripting (XSS), has been disabled.</p> <a href="SG0021.htm" class="btn-info btn-sm" role="button">More Details</a>
<hr/>
</div>
</section>
<br/><br/><br/><br/>
<section id="rules" class="rules-list">
<div class="container">
<p>
<a name="configuration-files"></a>
* The analysis of configuration files can be done, but Roslyn does not currently allow the <a href="https://github.com/dotnet-security-guard/roslyn-security-guard/issues/8">reporting of error in static files</a>.
</p>
</div>
</section>
<footer>
<div class="highlight-gray">
<div class="container footer text-center">
<p>.NET Security Guard is open source licensed under the <a href="https://www.gnu.org/licenses/lgpl-3.0.en.html">GNU Lesser General Public License 3.0 (LGPL)</a>.</p>
</div>
</div>
</footer>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
<script src="js/bootstrap.min.js"></script>
<!-- Google Analytics -->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-90570539-1', 'auto');
ga('send', 'pageview');
</script>
</body>
</html>