CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
      • Dotnet-core
      • Dotnet
        • Security
        • Security
      • Jwt-dotnet
      • Lang
      • Mongo
      • Postgres
      • Razor
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Dotnet

Security

mvc-missing-antiforgery

$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control

web-config-insecure-cookie-settings

Cookie Secure flag is explicitly disabled. You should enforce this value to avoid accidentally presenting sensitive cookie values over plaintext HTTP connections.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attribute
OWASP:
- A05:2021 - Security Misconfiguration

use_weak_rsa_encryption_padding

You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures

use_weak_rng_for_keygeneration

You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures

use_ecb_mode

Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures

net-webconfig-trace-enabled

OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1323: Improper Management of Sensitive Trace Data
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-

- -
-

- S
- e
- c
- u
- r
- i
- t
- y
-

- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n

razor-template-injection

User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection

net-webconfig-debug

ASP.NET applications built with debug set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug to false or remove it from <compilation ... />
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP:
- A05:2021 - Security Misconfiguration

use_deprecated_cipher_algorithm

Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
Xml dtd allowedAudit
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.