Request validation is disabled. Request validation allows the filtering of some XSS patterns submitted to the application.
More DetailsThe annotation [ValidateAntiForgeryToken] is missing.
More DetailsThe password configuration to this API appears to be hardcoded. It is suggest to externalized configuration such as password to avoid leakage of secret information.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsThe ciphertext produced is susceptible to alteration by an adversary. This mean that the cipher provides no way to detect that the data has been tampered with. If the ciphertext can be controlled by an attacker, it could be altered without detection. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.
More DetailsECB mode will produce the same result for identical blocks (ie: 16 bytes for AES). An attacker could be able to guess the encrypted message. The use of AES in CBC mode with a HMAC is recommended guaranteeing integrity and confidentiality.
More DetailsThis specific mode of CBC with PKCS5Padding is susceptible to padding oracle attacks. An adversary could potentially decrypt the message if the system exposed the difference between plaintext with invalid padding or valid padding.
More DetailsDES/3DES is not considered a strong cipher for modern applications. Currently, NIST recommends the usage of AES block ciphers instead of DES/3DES.
More DetailsHaving the annotation [OutputCache] will disable the annotation [Authorize] for the requests following the first one.
More DetailsThe file path passed to this API is susceptible to Path traversal attacks. With a malicious relative path, an attacker could reach a secret file.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsView state mac is disabled. The view state could be altered by an attacker. (This feature cannot be disabled in the recent version of ASP.net)
More DetailsThe dynamic value passed to the XPath query should be validated
More DetailsCertificate Validation has been disabled. The communication could be intercepted.
More DetailsThe random numbers generated could be predicted.
More DetailsMD5/SHA1 is no longer considered a strong hashing algorithim for password storage and signature generation.
More DetailsThe XML parser is configured incorrectly. The operation could be vulnerable to XML eXternal Entity (XXE) processing.
More DetailsIt is recommended to specify the Secure flag to new cookie.
More DetailsIt is recommended to specify the HttpOnly flag to new cookie.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsThe endpoint returns a variable from the client input that has not been encoded.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsThe dynamic value passed to the command execution should be validated.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsEvent validation is disabled. The integrity of client-side control will not be validated on postback.
More DetailsView state is not encrypted. Controls may leak sensitive data that could be read client-side.
More DetailsThe dynamic value passed in the SQL query should be validated.
More DetailsRequest validation, which provided additionnal protection against Cross-Site Scripting (XSS), has been disabled.
More Details* The analysis of configuration files can be done, but Roslyn does not currently allow the reporting of error in static files.