C# and ASP.NET rules
Rule (1) Arbitrary File Write via Archive Extraction (Zip Slip)
CWE (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (2) Path Traversal
CWE (23) Relative Path Traversal
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (3) Command Injection
CWE (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (4) Cross-site Scripting (XSS)
CWE (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (5) SQL Injection
CWE (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (6) LDAP Injection
CWE (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (7) XML Injection
CWE (91) XML Injection (aka Blind XPath Injection)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (8) Code Injection
CWE (94) Improper Control of Generation of Code ('Code Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (9) Log Forging
CWE (117) Improper Output Neutralization for Logs
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures
Rule (10) Information Exposure
CWE (200) Exposure of Sensitive Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (11) Debug Features Enabled
CWE (215) Insertion of Sensitive Information Into Debugging Code
Rule (12) Use of Hardcoded Credentials
CWE (259, 798) Use of Hard-coded Password, Use of Hard-coded Credentials
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (13) Cleartext Storage of Sensitive Information in a Cookie
CWE (315) Cleartext Storage of Sensitive Information in a Cookie
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (14) Insecure Data Transmission
CWE (319) Cleartext Transmission of Sensitive Information
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (15) Inadequate Encryption Strength
CWE (326) Inadequate Encryption Strength
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (16) Use of a Broken or Risky Cryptographic Algorithm
CWE (327) Use of a Broken or Risky Cryptographic Algorithm
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (17) Use of Insufficiently Random Values
CWE (330) Use of Insufficiently Random Values
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (18) Anti-forgery token validation disabled
CWE (352) Cross-Site Request Forgery (CSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (19) Exposure of Private Personal Information to an Unauthorized Actor
CWE (359) Exposure of Private Personal Information to an Unauthorized Actor
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (20) Regular expression injection
CWE (400, 730) Uncontrolled Resource Consumption, OWASP Top Ten 2004 Category A9 - Denial of Service
Rule (21) Deserialization of Untrusted Data
CWE (502) Deserialization of Untrusted Data
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (22) Hardcoded Secret
CWE (547) Use of Hard-coded, Security-relevant Constants
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (23) Request Validation Disabled
CWE (554) ASP.NET Misconfiguration: Not Using Input Validation Framework
Rule (24) Open Redirect
CWE (601) URL Redirection to Untrusted Site ('Open Redirect')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A01:2021 - Broken Access Control
Rule (25) XML External Entity (XXE) Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (26) XAML Injection
CWE (611) Improper Restriction of XML External Entity Reference
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (27) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Rule (28) XPath Injection
CWE (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection')
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A03:2021 - Injection
Rule (29) Use of Password Hash With Insufficient Computational Effort
CWE (916) Use of Password Hash With Insufficient Computational Effort
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures
Rule (30) Server-Side Request Forgery (SSRF)
CWE (918) Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF)
OWASP Top 10/SANS 25: SANS/CWE Top 25
Rule (31) Sensitive Cookie Without 'HttpOnly' Flag
CWE (1004) Sensitive Cookie Without 'HttpOnly' Flag
OWASP Top 10/SANS 25: OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration
Last updated