Security
mvc-missing-antiforgery
mvc-missing-antiforgery
$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
web-config-insecure-cookie-settings
web-config-insecure-cookie-settings
use_weak_rsa_encryption_padding
use_weak_rsa_encryption_padding
You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures
use_weak_rng_for_keygeneration
use_weak_rng_for_keygeneration
You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
use_ecb_mode
use_ecb_mode
Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
net-webconfig-trace-enabled
net-webconfig-trace-enabled
OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1323: Improper Management of Sensitive Trace Data
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
razor-template-injection
razor-template-injection
User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
net-webconfig-debug
net-webconfig-debug
ASP.NET applications built with debug
set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug
to false
or remove it from <compilation ... />
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP:
- A05:2021 - Security Misconfiguration
use_deprecated_cipher_algorithm
use_deprecated_cipher_algorithm
Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures