CodeAnt AI home pagelight logodark logo
  • Dashboard
  • Dashboard
  • Documentation
  • Demo Call with CEO
  • Blog
  • Slack
    • Get Started
    • CodeAnt AI
    • Setup
    • Control Center
    • Pull Request Review
    • IDE
    • Compliance
    • Anti-Patterns
    • Code Governance
    • Infrastructure Security Database
    • Application Security Database
      • Apex
      • Bash
      • C
      • Clojure
      • Cpp
      • Csharp
        • Dotnet-core
        • Dotnet
          • Security
          • Security
            • Audit
        • Jwt-dotnet
        • Lang
        • Mongo
        • Postgres
        • Razor
      • Dockerfile
      • Elixir
      • Fingerprints
      • Generic
      • Go
      • Html
      • Java
      • Javascript
      • Json
      • Kotlin
      • Ocaml
      • Php
      • Problem-based-packs
      • Python
      • Ruby
      • Rust
      • Scala
      • Solidity
      • Swift
      • Terraform
      • Typescript
      • Yaml
    Security

    Audit

    ASP.NET Core MVC provides an HtmlString class which isn’t automatically encoded upon output. This should never be used in combination with untrusted input as this will expose an XSS vulnerability.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-116: Improper Encoding or Escaping of Output
    OWASP:
    - A03:2021 - Injection

    XPath queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an XPath Injection exploitation.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)
    OWASP:
    - A03:2021 - Injection

    An open directory listing is potentially exposed, potentially revealing sensitive information to attackers.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-548: Exposure of Information Through Directory Listing
    OWASP:
    - A06:2017 - Security Misconfiguration
    - A01:2021 - Broken Access Control

    Mass assignment or Autobinding vulnerability in code allows an attacker to execute over-posting attacks, which could create a new parameter in the binding request and manipulate the underlying object in the application.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
    OWASP:
    - A08:2021 - Software and Data Integrity Failures

    A misconfigured lockout mechanism allows an attacker to execute brute-force attacks. Account lockout must be correctly configured and enabled to prevent these attacks.
    Likelihood: LOW
    Confidence: LOW
    CWE:
    - CWE-307: Improper Restriction of Excessive Authentication Attempts
    OWASP:
    - A07:2021 - Identification and Authentication Failures

    Anonymous access shouldn’t be allowed unless explicit by design. Access control checks are missing and potentially can be bypassed. This finding violates the principle of least privilege or deny by default, where access should only be permitted for a specific set of roles or conforms to a custom policy or users.
    Likelihood: LOW
    Confidence: MEDIUM
    CWE:
    - CWE-862: Missing Authorization
    OWASP:
    - A01:2021 - Broken Access Control

    LDAP queries are constructed dynamically on user-controlled input. This vulnerability in code could lead to an arbitrary LDAP query execution.
    Likelihood: MEDIUM
    Confidence: MEDIUM
    CWE:
    - CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)
    OWASP:
    - A01:2017 - Injection
    - A03:2021 - Injection

    SecurityJwt dotnet hardcoded secret
    twitterlinkedin
    Powered by Mintlify