CodeAnt AI home pagelight logodark logo
  • Support
  • Dashboard
  • Dashboard
Documentation
API Reference
Start Here
  • What is CodeAnt?
  • Join Community
Setup
  • Github
  • GitHub Enterprise
  • Bitbucket
  • Gitlab
  • Azure Devops
Pull Request Review
  • Features
  • Customize Review
  • Quality Gates
  • Integrations
Scan center
  • Code Security
  • Code Quality
  • Cloud Security
  • Engineering Productivity
Integrations
  • Jira
  • Test Coverage
  • CI/CD
IDE
  • Setup
  • Review
  • Enhancements
Rule Reference
  • Compliance
  • Anti-Patterns
  • Code Governance
  • Infrastructure Security Database
  • Application Security Database
    • Apex
    • Bash
    • C
    • Clojure
    • Cpp
    • Csharp
      • Dotnet-core
      • Dotnet
        • Security
        • Security
          • Audit
      • Jwt-dotnet
      • Lang
      • Mongo
      • Postgres
      • Razor
    • Dockerfile
    • Elixir
    • Fingerprints
    • Generic
    • Go
    • Html
    • Java
    • Javascript
    • Json
    • Kotlin
    • Ocaml
    • Php
    • Problem-based-packs
    • Python
    • Ruby
    • Rust
    • Scala
    • Solidity
    • Swift
    • Terraform
    • Typescript
    • Yaml
Resources
  • Open Source
  • Blogs
Security

Audit

razor-use-of-htmlstring

ASP.NET Core MVC provides an HtmlString class which isn’t automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-116: Improper Encoding or Escaping of Output
OWASP:
- A03:2021 - Injection

xpath-injection

XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
OWASP:
- A03:2021 - Injection

open-directory-listing

An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-548: Exposure of Information Through Directory Listing
OWASP:
- A06:2017 - Security Misconfiguration
- A01:2021 - Broken Access Control

mass-assignment

Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
OWASP:
- A08:2021 - Software and Data Integrity Failures

misconfigured-lockout-option

A misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-307: Improper Restriction of Excessive Authentication Attempts
OWASP:
- A07:2021 - Identification and Authentication Failures

missing-or-broken-authorization

Anonymous access shouldn’t be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-862: Missing Authorization
OWASP:
- A01:2021 - Broken Access Control

ldap-injection

LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
OWASP:
- A01:2017 - Injection
- A03:2021 - Injection
SecurityJwt dotnet hardcoded secret
twitterlinkedin
Powered by Mintlify
Assistant
Responses are generated using AI and may contain mistakes.