René's URL Explorer Experiment


Title: Security Code Scan

direct link

Domain: security-code-scan.github.io

Nonetext/html; charset=UTF-8

Links:

NuGet package https://www.nuget.org/packages/SecurityCodeScan.VS2019/
Visual Studio extension https://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScanVS2019
Stand-alone runner https://www.nuget.org/packages/security-scan/
Open Sourcehttps://github.com/security-code-scan/security-code-scan
security vulnerability patternshttps://security-code-scan.github.io#rules
GitHubhttps://github.com/marketplace/actions/securitycodescan
GitLabhttps://docs.gitlab.com/ee/user/application_security/sast/analyzers.html
Stand-alone runnerhttps://www.nuget.org/packages/security-scan/
MSBuildhttps://msdn.microsoft.com/en-us/library/dd393574.aspx
.NET Corehttps://en.wikipedia.org/wiki/.NET_Framework#.NET_Core
Communityhttps://www.visualstudio.com/en-us/products/visual-studio-community-vs.aspx
GitHubhttps://github.com/marketplace/actions/securitycodescan
GitLabhttps://docs.gitlab.com/ee/user/application_security/sast/analyzers.html
Stand-alone runnerhttps://www.nuget.org/packages/security-scan/
can be installed ashttps://docs.microsoft.com/en-us/visualstudio/code-quality/install-roslyn-analyzers
Visual Studio extensionhttps://marketplace.visualstudio.com/items?itemName=JaroslavLobacevski.SecurityCodeScanVS2019
NuGet packagehttps://www.nuget.org/packages/SecurityCodeScan.VS2019/
Stand-alone runnerhttps://www.nuget.org/packages/security-scan/
GitHub Releaseshttps://github.com/security-code-scan/security-code-scan/releases
mismatch between the used compiler toolset/SDK and the version of Roslyn analyzer library used by SCShttps://github.com/dotnet/roslyn/issues/2683
MSBuildhttps://msdn.microsoft.com/en-us/library/dd393574.aspx
GitHubhttps://github.com/marketplace/actions/securitycodescan
GitLabhttps://docs.gitlab.com/ee/user/application_security/sast/analyzers.html
Stand-alone runnerhttps://www.nuget.org/packages/security-scan/
MSBuildhttps://msdn.microsoft.com/en-us/library/dd393574.aspx
scripthttps://github.com/SPoint42/SecurityTools/tree/main/SCDotNet2DefectDojo
DefectDojohttps://github.com/DefectDojo/django-DefectDojo
additional informationhttps://docs.microsoft.com/en-us/visualstudio/code-quality/how-to-enable-and-disable-full-solution-analysis-for-managed-code
WebGoat.NEThttps://github.com/OWASP/WebGoat.NET/zipball/master
built-in configurationhttps://github.com/security-code-scan/security-code-scan/blob/vs2019/SecurityCodeScan/Config/Main.yml
configuration filehttps://github.com/security-code-scan/security-code-scan/blob/vs2019/SecurityCodeScan/Config/Main.yml
standard functionality for Visual Studiohttps://docs.microsoft.com/en-us/visualstudio/code-quality/in-source-suppression-overview
it’s own documentationhttps://docs.microsoft.com/en-us/visualstudio/code-quality/use-roslyn-analyzers
affect results from other analyzershttps://github.com/dotnet/roslyn/issues/23879
OWASP: Top 10 2013-A1-Injectionhttps://www.owasp.org/index.php/Top_10_2013-A1-Injection
CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)https://cwe.mitre.org/data/definitions/78.html
OWASP: Command Injectionhttps://www.owasp.org/index.php/Command_Injection
OWASP: Top 10 2013-A1-Injectionhttps://www.owasp.org/index.php/Top_10_2013-A1-Injection
CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)https://cwe.mitre.org/data/definitions/89.html
WASC-19: SQL Injectionhttp://projects.webappsec.org/w/page/13246963/SQL%20Injection
OWASP: SQL Injection Prevention Cheat Sheethttps://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
OWASP: Query Parameterization Cheat Sheethttps://www.owasp.org/index.php/Query_Parameterization_Cheat_Sheet
CAPEC-66: SQL Injectionhttp://capec.mitre.org/data/definitions/66.html
Bobby Tables: A guide to preventing SQL injectionhttp://bobby-tables.com/csharp
CWE-643: Improper Neutralization of Data within XPath Expressions (‘XPath Injection’)https://cwe.mitre.org/data/definitions/643.html
WASC-39: XPath Injectionhttp://projects.webappsec.org/w/page/13247005/XPath%20Injection
OWASP: XPATH Injectionhttps://www.owasp.org/index.php/XPATH_Injection
Black Hat Europe 2012: Hacking XPath 2.0http://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf
CWE-611: Improper Restriction of XML External Entity Reference (‘XXE’)https://cwe.mitre.org/data/definitions/611.html
OWASP.org: XML External Entity (XXE) Prevention Cheat Sheet (.NET)https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet#.NET
CERT: IDS10-J. Prevent XML external entity attackshttps://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=61702260
OWASP.org: XML External Entity (XXE) Processinghttps://www.owasp.org/index.php/XML_External_Entity_%28XXE%29_Processing
WS-Attacks.org: XML Entity Expansionhttp://www.ws-attacks.org/index.php/XML_Entity_Expansion
WS-Attacks.org: XML External Entity DOShttp://www.ws-attacks.org/index.php/XML_External_Entity_DOS
WS-Attacks.org: XML Entity Reference Attackhttp://www.ws-attacks.org/index.php/XML_Entity_Reference_Attack
Identifying Xml eXternal Entity vulnerability (XXE)http://blog.h3xstream.com/2014/06/identifying-xml-external-entity.html
CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)https://cwe.mitre.org/data/definitions/22.html
OWASP: Path Traversalhttps://www.owasp.org/index.php/Path_Traversal
OS Command Injection, Path Traversal & Local File Inclusion Vulnerability - Noteshttps://riseandhack.blogspot.com/2015/02/os-command-injection-path-traversal.html
HTTP-onlyhttps://security-code-scan.github.io#SCS0009
CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)https://cwe.mitre.org/data/definitions/79.html
WASC-8: Cross Site Scriptinghttp://projects.webappsec.org/w/page/13246920/Cross%20Site%20Scripting
OWASP: XSS Prevention Cheat Sheethttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
OWASP: Top 10 2013-A3: Cross-Site Scripting (XSS)https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_%28XSS%29
AntiXSS libraryhttps://www.nuget.org/packages/AntiXSS/
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)https://cwe.mitre.org/data/definitions/90.html
WASC-29: LDAP Injectionhttp://projects.webappsec.org/w/page/13246947/LDAP%20Injection
OWASP: LDAP Injectionhttps://www.owasp.org/index.php/LDAP_injection
OWASP: LDAP Injection Prevention Cheat Sheethttps://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
MSDN Blog - Security Tools: LDAP Injection and mitigationhttps://blogs.msdn.microsoft.com/securitytools/2009/08/10/ldap-injection-and-mitigation/
AntiXSS libraryhttps://www.nuget.org/packages/AntiXSS/
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)https://cwe.mitre.org/data/definitions/90.html
WASC-29: LDAP Injectionhttp://projects.webappsec.org/w/page/13246947/LDAP%20Injection
OWASP: LDAP Injectionhttps://www.owasp.org/index.php/LDAP_injection
OWASP: LDAP Injection Prevention Cheat Sheethttps://www.owasp.org/index.php/LDAP_Injection_Prevention_Cheat_Sheet
MSDN Blog - Security Tools: LDAP Injection and mitigationhttps://blogs.msdn.microsoft.com/securitytools/2009/08/10/ldap-injection-and-mitigation/
certificate authorityhttp://en.wikipedia.org/wiki/Certificate_authority
Man-in-the-middle attackshttp://en.wikipedia.org/wiki/Man-in-the-middle_attack
certificate pinninghttps://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
CWE-295: Improper Certificate Validationhttps://cwe.mitre.org/data/definitions/295.html
WASC-04: Insufficient Transport Layer Protectionhttp://projects.webappsec.org/w/page/13246945/Insufficient%20Transport%20Layer%20Protection
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)https://cwe.mitre.org/data/definitions/338.html
OWASP: Insecure Randomnesshttps://www.owasp.org/index.php/Insecure_Randomness
adaptive algorithmshttps://crackstation.net/hashing-security.htm
CWE-327: Use of a Broken or Risky Cryptographic Algorithmhttps://cwe.mitre.org/data/definitions/327.html
MSDN: SHA256 Class documentationhttps://msdn.microsoft.com/en-us/library/system.security.cryptography.sha256(v=vs.110).aspx
Salted Password Hashing - Doing it Righthttps://crackstation.net/hashing-security.htm
Solution in Weak Cipher Modehttps://security-code-scan.github.io#SCS0013
CWE-327: Use of a Broken or Risky Cryptographic Algorithmhttps://cwe.mitre.org/data/definitions/327.html
NIST Withdraws Outdated Data Encryption Standardhttp://www.nist.gov/itl/fips/060205_des.cfm
StackOverflow: Authenticated encryption examplehttp://stackoverflow.com/questions/202011/encrypt-and-decrypt-a-string/10366194#10366194
CWE-327: Use of a Broken or Risky Cryptographic Algorithmhttps://cwe.mitre.org/data/definitions/327.html
Padding Oracles for the masses (by Matias Soler)http://www.infobytesec.com/down/paddingoracle_openjam.pdf
Wikipedia: Authenticated encryptionhttp://en.wikipedia.org/wiki/Authenticated_encryption
NIST: Authenticated Encryption Modeshttp://csrc.nist.gov/groups/ST/toolkit/BCM/modes_development.html#01
CAPEC: Padding Oracle Crypto Attackhttp://capec.mitre.org/data/definitions/463.html
Wikipedia: ECB modehttps://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_(ECB)
CWE-614: Sensitive Cookie in HTTPS Session Without ‘Secure’ Attributehttps://cwe.mitre.org/data/definitions/614.html
OWASP: Secure Flaghttps://www.owasp.org/index.php/SecureFlag
Rapid7: Missing Secure Flag From SSL Cookiehttps://www.rapid7.com/db/vulnerabilities/http-cookie-secure-flag
CWE-1004: Sensitive Cookie Without ‘HttpOnly’ Flaghttps://cwe.mitre.org/data/definitions/1004.html
Coding Horror blog: Protecting Your Cookies: HttpOnlyhttp://blog.codinghorror.com/protecting-your-cookies-httponly/
OWASP: HttpOnlyhttps://www.owasp.org/index.php/HttpOnly
Rapid7: Missing HttpOnly Flag From Cookiehttps://www.rapid7.com/db/vulnerabilities/http-cookie-http-only-flag
machine keyhttps://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: pages Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/950xf363(v=vs.100).aspx
MSDN: ViewStateEncryptionMode Propertyhttps://msdn.microsoft.com/en-us/library/system.web.configuration.pagessection.viewstateencryptionmode(v=vs.100).aspx
MSDN: machineKey Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/w8h3skw9(v=vs.100).aspx
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: pages Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/950xf363(v=vs.100).aspx
XSShttps://security-code-scan.github.io#SCS0029
XSShttps://security-code-scan.github.io#SCS0029
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: Request Validation in ASP.NEThttps://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
OWASP: ASP.NET Request Validationhttps://www.owasp.org/index.php/ASP.NET_Request_Validation
XSShttps://security-code-scan.github.io#SCS0029
XSShttps://security-code-scan.github.io#SCS0029
XSShttps://security-code-scan.github.io#SCS0029
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: pages Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/950xf363(v=vs.100).aspx
MSDN: Request Validation in ASP.NEThttps://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
OWASP: ASP.NET Request Validationhttps://www.owasp.org/index.php/ASP.NET_Request_Validation
XSShttps://security-code-scan.github.io#SCS0029
XSShttps://security-code-scan.github.io#SCS0029
XSShttps://security-code-scan.github.io#SCS0029
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: pages Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/950xf363(v=vs.100).aspx
MSDN: Request Validation in ASP.NEThttps://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
OWASP: ASP.NET Request Validationhttps://www.owasp.org/index.php/ASP.NET_Request_Validation
MSDN: RequestValidationMode Propertyhttps://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(v=vs.110).aspx
XSShttps://security-code-scan.github.io#SCS0029
CWE-259: Use of Hard-coded Passwordhttps://cwe.mitre.org/data/definitions/259.html
Password Complexityhttps://security-code-scan.github.io#SCS0033
CWE-521: Weak Password Requirementshttps://cwe.mitre.org/data/definitions/521.html
MSDN: ASP.NET Identity PasswordValidator Classhttps://msdn.microsoft.com/en-us/library/microsoft.aspnet.identity.passwordvalidator.aspx
Password Complexityhttps://security-code-scan.github.io#SCS0033
CWE-521: Weak Password Requirementshttps://cwe.mitre.org/data/definitions/521.html
MSDN: ASP.NET Identity PasswordValidator Classhttps://msdn.microsoft.com/en-us/library/microsoft.aspnet.identity.passwordvalidator.aspx
CWE-521: Weak Password Requirementshttps://cwe.mitre.org/data/definitions/521.html
MSDN: ASP.NET Identity PasswordValidator Classhttps://msdn.microsoft.com/en-us/library/microsoft.aspnet.identity.passwordvalidator.aspx
CWE-611: Improper Restriction of XML External Entity Referencehttps://cwe.mitre.org/data/definitions/611.html
XSLT Server Side Injection Attackshttps://www.contextis.com/us/blog/xslt-server-side-injection-attacks
XML Attack for C# Remote Code Executionhttps://zerosum0x0.blogspot.com/2016/05/xml-attack-for-c-remote-code-execution.html
XsltSettings.EnableScript Propertyhttps://docs.microsoft.com/en-us/dotnet/api/system.xml.xsl.xsltsettings.enablescript?view=net-5.0
customizehttps://security-code-scan.github.io#external-configuration-files
rulehttps://github.com/security-code-scan/security-code-scan/blob/6541aa9c52e856b2ce9da7d5916d8358760373da/SecurityCodeScan/Config/Main.yml#L2500
CWE-284: Improper Access Controlhttps://cwe.mitre.org/data/definitions/284.html
Access control vulnerabilities and privilege escalationhttps://portswigger.net/web-security/access-control
Simple authorization in ASP.NET Corehttps://docs.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-3.1
CWE-352: Cross-Site Request Forgery (CSRF)https://cwe.mitre.org/data/definitions/352.html
OWASP: Cross-Site Request Forgeryhttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
OWASP: CSRF Prevention Cheat Sheethttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
CWE-524: Use of Cache Containing Sensitive Informationhttps://cwe.mitre.org/data/definitions/524.html
Improving Performance with Output Cachinghttps://docs.microsoft.com/en-us/aspnet/mvc/overview/older-versions-1/controllers-and-routing/improving-performance-with-output-caching-cs
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Frameworkhttps://cwe.mitre.org/data/definitions/554.html
MSDN: pages Element (ASP.NET Settings Schema)https://msdn.microsoft.com/en-us/library/950xf363(v=vs.100).aspx
MSDN: Page.EnableEventValidation Propertyhttp://msdn.microsoft.com/en-us/library/system.web.ui.page.enableeventvalidation.aspx
phishinghttps://en.wikipedia.org/wiki/Phishing
CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’)https://cwe.mitre.org/data/definitions/601.html
Microsoft: Preventing Open Redirection Attacks (C#)https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/preventing-open-redirection-attacks
OWASP: Unvalidated Redirects and Forwards Cheat Sheethttps://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet
Hacksplaining: preventing malicious redirectshttps://www.hacksplaining.com/prevention/open-redirects
Data Transfer Objects (DTO)https://en.wikipedia.org/wiki/Data_transfer_object
CWE-502: Deserialization of Untrusted Datahttps://cwe.mitre.org/data/definitions/502.html
BlackHat USA 2017: Friday the 13th: JSON Attackshttps://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-Json-Attacks.pdf
BlueHat v17: Dangerous Contents - Securing .Net Deserializationhttps://www.slideshare.net/MSbluehat/dangerous-contents-securing-net-deserialization
BlackHat USA 2012: Are you my type?https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf
OWASP: Deserialization of untrusted datahttps://www.owasp.org/index.php/Deserialization_of_untrusted_data
Deserialization payload generator for a variety of .NET formattershttps://github.com/pwntester/ysoserial.net
.NET Deserialization Passive Scannerhttps://github.com/pwntester/dotnet-deserialization-scanner
@matteo-tosihttps://github.com/matteo-tosi
#262https://github.com/security-code-scan/security-code-scan/pull/262
Full Changeloghttps://github.com/security-code-scan/security-code-scan/compare/5.6.6…5.6.7
#258https://github.com/security-code-scan/security-code-scan/issues/258
Full Changeloghttps://github.com/security-code-scan/security-code-scan/compare/5.6.5…5.6.6
#257https://github.com/security-code-scan/security-code-scan/issues/257
#246https://github.com/security-code-scan/security-code-scan/issues/246
#248https://github.com/security-code-scan/security-code-scan/pull/248
#239https://github.com/security-code-scan/security-code-scan/issues/239
scripthttps://github.com/SPoint42/SecurityTools/tree/main/SCDotNet2DefectDojo
Sebastien gioriahttps://github.com/SPoint42
DefectDojohttps://github.com/DefectDojo/django-DefectDojo
@watfordgnfhttps://github.com/watfordgnf
@indy-singhhttps://github.com/indy-singh
ReportAnalysisCompletionhttps://github.com/security-code-scan/security-code-scan/commit/792c265cd218ea7abb8433d52ca159eb90ab91ae#diff-34b8f54577569f3aae468b7f58cc5d02
@kevin-montrosehttps://github.com/kevin-montrose
#117https://github.com/security-code-scan/security-code-scan/issues/117
#71https://github.com/security-code-scan/security-code-scan/issues/71
Andrei!https://github.com/zaichenko
contributorshttps://github.com/security-code-scan/security-code-scan/graphs/contributors
issues or feature requestshttps://github.com/security-code-scan/security-code-scan/issues?utf8=%E2%9C%93&q=is%3Aissue
microsoft/dotnet 2.1 docker containerhttps://hub.docker.com/r/microsoft/dotnet/
SecurityCodeScan.VS2017 NuGet packagehttps://www.nuget.org/packages/SecurityCodeScan.VS2017
built-in configurationhttps://github.com/security-code-scan/security-code-scan/blob/master/SecurityCodeScan/Config/Main.yml
Insecure deserialization analyzershttps://security-code-scan.github.io#SCS0028
Json.NEThttps://www.newtonsoft.com/json
BinaryFormatterhttps://msdn.microsoft.com/en-us/library/system.runtime.serialization.formatters.binary.binaryformatter(v=vs.110).aspx
FastJSONhttps://github.com/mgholam/fastJSON
JavaScriptSerializerhttps://msdn.microsoft.com/en-us/library/system.web.script.serialization.javascriptserializer(v=vs.110).aspx
DataContractJsonSerializerhttps://msdn.microsoft.com/en-us/library/system.runtime.serialization.json.datacontractjsonserializer(v=vs.110).aspx
NetDataContractSerializerhttps://msdn.microsoft.com/en-us/library/system.runtime.serialization.netdatacontractserializer(v=vs.110).aspx
XmlSerializerhttps://msdn.microsoft.com/en-us/library/system.xml.serialization.xmlserializer(v=vs.110).aspx
See how to enable.https://security-code-scan.github.io#AnalyzingConfigFiles

Viewport: width=device-width,initial-scale=1

URLs of crawlers that visited me.