veracode

Veracode XML External Entity Reference (XXE)

天大地大妈咪最大 提交于 2020-05-08 03:52:11
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Veracode XML External Entity Reference (XXE)

a 夏天 提交于 2020-05-08 03:51:59
问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

Veracode throws “Technology-Specific Input Validation Problems (CWE ID 100)” for a public string property in C#

妖精的绣舞 提交于 2019-12-24 03:26:04
问题 Veracode throws "Technology-Specific Input Validation Problems (CWE ID 100)" for a public string property in C#. These are the formats I have tried already, and all give same flaw. Option: 1 public string MyProperty { get; set; } Option: 2 private string _myProperty; public string MyProperty { get { return _myProperty; } set { _myProperty = value; } } Option: 3 private string _myProperty; public string MyProperty { get { return _myProperty ?? string.Empty; } set { _myProperty = value; } } Can

How to fix Veracode CWE 117 (Improper Output Neutralization for Logs)

纵然是瞬间 提交于 2019-12-20 14:44:07
问题 There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that: @ExceptionHandler(Exception.class) void handleException(Exception ex) { logger.error("Simple error message", ex); ... Veracode scan says that this logging has Improper Output Neutralization for Logs and suggest to use ESAPI logger. Is there any way how to fix this vulnerability without changing logger to ESAPI? This is the only place in code where I faced this issue and I try to figure out how

“Untrusted initialization” flaw - while creating SQL Connection

♀尐吖头ヾ 提交于 2019-12-19 17:41:14
问题 I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new SqlConnectionStringBuilder(); if (!string.IsNullOrEmpty(dbConfig.DataSource)) csBuilder.DataSource = dbConfig.DataSource; if (!string.IsNullOrEmpty(dbConfig.Database)) csBuilder.InitialCatalog = dbConfig.Database; . . . . return new SqlConnection(csBuilder.ConnectionString); }); } The client is

“Untrusted initialization” flaw - while creating SQL Connection

别说谁变了你拦得住时间么 提交于 2019-12-19 17:41:14
问题 I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new SqlConnectionStringBuilder(); if (!string.IsNullOrEmpty(dbConfig.DataSource)) csBuilder.DataSource = dbConfig.DataSource; if (!string.IsNullOrEmpty(dbConfig.Database)) csBuilder.InitialCatalog = dbConfig.Database; . . . . return new SqlConnection(csBuilder.ConnectionString); }); } The client is

How to avoid XSS in this c:out?

和自甴很熟 提交于 2019-12-14 03:04:27
问题 Normally i scan my code changes using veracode to detect security vulnerabilities. Now there is a string in DB which i am collecting in a string called custFunctionality and previously i was displaying this in jsp as : out.println(<%= custFunctionality %>); Well veracode scanned it and let me know that it constitutes a security defect. So i used c: out here as : <c:out escapexml='false' value='${custFunctionality }'/> Now the problem here is that the string consists of html related mark up

Fix Session Fixation flaw in ASP.Net

六月ゝ 毕业季﹏ 提交于 2019-12-13 03:59:35
问题 A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw. In other words,

MVC Security Violation - Improperly Controlled Modification of Dynamically-Determined Object Attributes

时间秒杀一切 提交于 2019-12-13 02:34:59
问题 We are developing an MVC 5 Application and while we ran security scan using Veracode we are getting the below flaw saying "Improperly Controlled Modification of Dynamically-Determined Object Attributes" And added this link as reference to fix. Tried implementing Bind Attribute to my Controllers functions with HTTP Post and the issue is fixed. So in ASP.NET MVC is it mandatory to use Bind Attribute for all the Post to avoid security violation ? Or can i ignore this flaw or any other

Veracode issue in JSP

徘徊边缘 提交于 2019-12-12 20:48:42
问题 I am getting veracode issue in the below line <input type = "hidden" name = "studentName" value = "<%=viewBean.getStudName()%>"> The issue is on <%=viewBean.getStudName()%> Here, the issue reported is "Improper Neutralization of Script-Related HTML tags in a web page(Basic XSS). I have tried the fix given in cwe.mitre.org but I could not apply it properly. Can anyone help on this how to overcome the issue? 回答1: use <c:out value=${viewBean.studName}/> instead it escapes XML 回答2: As per CWE ,