Cryptography
unsigned-security-token
unsigned-security-token
Accepting unsigned security tokens as valid security tokens allows an attacker to remove its signature and potentially forge an identity. As a fix, set RequireSignedTokens to be true.
Likelihood: MEDIUM
Confidence: MEDIUM
CWE:
- CWE-347: Improper Verification of Cryptographic Signature
OWASP:
- A02:2021 - Cryptographic Failures
X509Certificate2-privkey
X509Certificate2-privkey
X509Certificate2.PrivateKey is obsolete. Use a method such as GetRSAPrivateKey() or GetECDsaPrivateKey(). Alternatively, use the CopyWithPrivateKey() method to create a new instance with a private key. Further, if you set X509Certificate2.PrivateKey to null
or set it to another key without deleting it first, the private key will be left on disk.
Likelihood: LOW
Confidence: LOW
CWE:
- CWE-310: CWE CATEGORY: Cryptographic Issues
OWASP:
- A02:2021 - Cryptographic Failures
X509-subject-name-validation
X509-subject-name-validation
Validating certificates based on subject name is bad practice. Use the X509Certificate2.Verify() method instead.
Likelihood: LOW
Confidence: MEDIUM
CWE:
- CWE-295: Improper Certificate Validation
OWASP:
- A03:2017 - Sensitive Data Exposure
- A07:2021 - Identification and Authentication Failures