Get Started
- CodeAnt AI
- Control Center
- Pull Request Review
- IDE
- Compliance
- Anti-Patterns
- Code Governance
- Infrastructure Security Database
- Application Security Database
- Apex
- Bash
- C
- Clojure
- Cpp
- Csharp
- Dotnet-core
- Dotnet
- Jwt-dotnet
- Lang
- Mongo
- Postgres
- Razor
- Dockerfile
- Elixir
- Fingerprints
- Generic
- Go
- Html
- Java
- Javascript
- Json
- Kotlin
- Ocaml
- Php
- Problem-based-packs
- Python
- Ruby
- Rust
- Scala
- Solidity
- Swift
- Terraform
- Typescript
- Yaml
Cryptography
Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-347: Improper Verification of Cryptographic Signature
OWASP:
- A02:2021 - Cryptographic Failures
X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to null or set it to another key without deleting it first, the private key will be left on disk.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-310: CWE CATEGORY: Cryptographic Issues
OWASP:
- A02:2021 - Cryptographic Failures
Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures