mvc-missing-antiforgery
mvc-missing-antiforgery
$METHOD is a state-changing MVC method that does not validate the antiforgery token or do strict content-type checking. State-changing controller methods should either enforce antiforgery tokens or do strict content-type checking to prevent simple HTTP request types from bypassing CORS preflight controls.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-352: Cross-Site Request Forgery (CSRF)
OWASP:
- A01:2021 - Broken Access Control
web-config-insecure-cookie-settings
web-config-insecure-cookie-settings
use_weak_rsa_encryption_padding
use_weak_rsa_encryption_padding
You are using the outdated PKCS#1 v1.5 encryption padding for your RSA key. Use the OAEP padding instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-780: Use of RSA Algorithm without OAEP
OWASP:
- A02:2021 - Cryptographic Failures
use_weak_rng_for_keygeneration
use_weak_rng_for_keygeneration
You are using an insecure random number generator (RNG) to create a cryptographic key. System.Random must never be used for cryptographic purposes. Use System.Security.Cryptography.RandomNumberGenerator instead.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
OWASP:
- A02:2021 - Cryptographic Failures
use_ecb_mode
use_ecb_mode
Usage of the insecure ECB mode detected. You should use an authenticated encryption mode instead, which is implemented by the classes AesGcm or ChaCha20Poly1305.
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
Likelihood: HIGH
Confidence: HIGH
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
net-webconfig-trace-enabled
net-webconfig-trace-enabled
OWASP guidance recommends disabling tracing for production applications to prevent accidental leakage of sensitive application information.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1323: Improper Management of Sensitive Trace Data
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-1323: Improper Management of Sensitive Trace Data
OWASP:
- A
- 0
- 5
- :
- 2
- 0
- 2
- 1
-
- -
-
- S
- e
- c
- u
- r
- i
- t
- y
-
- M
- i
- s
- c
- o
- n
- f
- i
- g
- u
- r
- a
- t
- i
- o
- n
razor-template-injection
razor-template-injection
User-controllable string passed to Razor.Parse. This leads directly to code execution in the context of the process.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
OWASP:
- A03:2021 - Injection
net-webconfig-debug
net-webconfig-debug
ASP.NET applications built with
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP:
- A05:2021 - Security Misconfiguration
debug
set to true in production may leak debug information to attackers. Debug mode also affects performance and reliability. Set debug
to false
or remove it from <compilation ... />
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
OWASP:
- A05:2021 - Security Misconfiguration
use_deprecated_cipher_algorithm
use_deprecated_cipher_algorithm
Usage of deprecated cipher algorithm detected. Use Aes or ChaCha20Poly1305 instead.
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures
Likelihood: HIGH
Confidence: MEDIUM
CWE:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
OWASP:
- A02:2021 - Cryptographic Failures