C# and ASP.NET rules
Rule (1) Arbitrary File Write via Archive Extraction (Zip Slip)
CWE (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (2) Path Traversal
CWE (23) Relative Path Traversal
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (3) Command Injection
CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (4) Cross-site Scripting (XSS)
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (5) SQL Injection
CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (6) LDAP Injection
CWE (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (7) XML Injection
CWE (91) XML Injection (aka Blind XPath Injection)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (8) Code Injection
CWE (94) Improper Control of Generation of Code ('Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (9) Log Forging
CWE (117) Improper Output Neutralization for Logs
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
Rule (10) Information Exposure
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (11) Debug Features Enabled
CWE (215) Insertion of Sensitive Information Into Debugging Code
Autofixable by DeepCode AI Fix
Rule (12) Use of Hardcoded Credentials
CWE (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (13) Cleartext Storage of Sensitive Information in a Cookie
CWE (315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (14) Insecure Data Transmission
CWE (319) Cleartext Transmission of Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (15) Inadequate Encryption Strength
CWE (326) Inadequate Encryption Strength
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (16) Use of a Broken or Risky Cryptographic Algorithm
CWE (327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (17) Use of Insufficiently Random Values
CWE (330) Use of Insufficiently Random Values
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (18) Anti-forgery token validation disabled
CWE (352) Cross-Site Request Forgery (CSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Autofixable by DeepCode AI Fix
Rule (19) Exposure of Private Personal Information to an Unauthorized Actor
CWE (359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (20) Regular expression injection
CWE (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service
Rule (21) Deserialization of Untrusted Data
CWE (502) Deserialization of Untrusted Data
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (22) Hardcoded Secret
CWE (547) Use of Hard-coded, Security-relevant Constants
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (23) Request Validation Disabled
CWE (554) ASP.NET Misconfiguration: Not Using Input Validation Framework
Autofixable by DeepCode AI Fix
Rule (24) Open Redirect
CWE (601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (25) XML External Entity (XXE) Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (26) XAML Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (27) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (28) XPath Injection
CWE (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (29) Use of Password Hash With Insufficient Computational Effort
CWE (916) Use of Password Hash With Insufficient Computational Effort
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (30) Server-Side Request Forgery (SSRF)
CWE (918) Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (31) Sensitive Cookie Without 'HttpOnly' Flag
CWE (1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Last updated