Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dotnet-core
- Dotnet
- Security
- Security
- Jwt-dotnet
- Lang
- Mongo
- Postgres
- Razor
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Security
$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP:
- A05:2021 - Security Misconfiguration
You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures
You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1323: Improper Management of Sensitive Trace Data
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
ASP.NET applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug to false or remove it from <compilation ... />
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP:
- A05:2021 - Security Misconfiguration
Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures