# C# & ASP.NET | No. & Rule Name | CWE(s) | OWASP Top 10/SANS 25 | | -------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------- | | **(1) Use of Hardcoded Credentials** | (798) Use of Hard-coded Credentials | OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures | | | (259) Use of Hard-coded Password | SANS/CWE Top 25 | | | | | | **(2) Use of Password Hash With Insufficient Computational Effort** | (916) Use of Password Hash With Insufficient Computational Effort | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(3) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute** | (614) Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(4) Hardcoded Secret** | (547) Use of Hard-coded, Security-relevant Constants | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(5) Insecure Data Transmission** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(6) Command Injection** | (78) Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(7) Cross-site Scripting (XSS)** | (79) Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(8) Server-Side Request Forgery (SSRF)** | (918) Server-Side Request Forgery (SSRF) | OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) | | | | SANS/CWE Top 25 | | **(9) Open Redirect** | (601) URL Redirection to Untrusted Site ('Open Redirect') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(10) Regular expression injection** | (400) Uncontrolled Resource Consumption | | | | (730) | | | | | | | **(11) XML Injection** | (611) Improper Restriction of XML External Entity Reference | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | SANS/CWE Top 25 | | **(12) SQL Injection** | (89) Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | SANS/CWE Top 25 | | **(13) Log Forging** | (117) Improper Output Neutralization for Logs | OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures | | | | | | **(14) XML External Entity (XXE) Injection** | (611) Improper Restriction of XML External Entity Reference | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | SANS/CWE Top 25 | | **(15) Inadequate Encryption Strength** | (326) Inadequate Encryption Strength | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(16) Use of Insufficiently Random Values** | (330) Use of Insufficiently Random Values | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(17) Sensitive Cookie Without 'HttpOnly' Flag** | (1004) Sensitive Cookie Without 'HttpOnly' Flag | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(18) Request Validation Disabled** | (554) ASP.NET Misconfiguration: Not Using Input Validation Framework | | | | | | | **(19) IgnoreAntiforgeryToken in Use** | (352) Cross-Site Request Forgery (CSRF) | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(20) Debug Features Enabled** | (215) Insertion of Sensitive Information Into Debugging Code | | | | | | | **(21) Deserialization of Untrusted Data** | (502) Deserialization of Untrusted Data | OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures | | | | SANS/CWE Top 25 | | **(22) ASP SSL Disabled** | (319) Cleartext Transmission of Sensitive Information | OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures | | | | | | **(23) Code Injection** | (94) Improper Control of Generation of Code ('Code Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(24) Information Exposure** | (200) Exposure of Sensitive Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 | | **(25) Exposure of Private Personal Information to an Unauthorized Actor** | (359) Exposure of Private Personal Information to an Unauthorized Actor | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(26) Cleartext Storage of Sensitive Information in a Cookie** | (315) Cleartext Storage of Sensitive Information in a Cookie | OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration | | | | | | **(27) LDAP Injection** | (90) Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(28) Path Traversal** | (23) Relative Path Traversal | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | | | **(29) XPath Injection** | (643) Improper Neutralization of Data within XPath Expressions ('XPath Injection') | OWASP Top Ten 2021 Category A03:2021 - Injection | | | | | | **(30) Arbitrary File Write via Archive Extraction (Zip Slip)** | (22) Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | OWASP Top Ten 2021 Category A01:2021 - Broken Access Control | | | | SANS/CWE Top 25 |