veracode

问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

问题 I've got the next finding in my veracode report: Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611) referring the next code bellow ... DocumentBuilderFactory dbf=null; DocumentBuilder db = null; try { dbf=DocumentBuilderFactory.newInstance(); dbf.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true); dbf.setExpandEntityReferences(false); dbf.setXIncludeAware(false); dbf.setValidating(false); dbf.newDocumentBuilder(); InputStream stream = new ByteArrayInputStream

问题 Veracode throws "Technology-Specific Input Validation Problems (CWE ID 100)" for a public string property in C#. These are the formats I have tried already, and all give same flaw. Option: 1 public string MyProperty { get; set; } Option: 2 private string _myProperty; public string MyProperty { get { return _myProperty; } set { _myProperty = value; } } Option: 3 private string _myProperty; public string MyProperty { get { return _myProperty ?? string.Empty; } set { _myProperty = value; } } Can

问题 There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that: @ExceptionHandler(Exception.class) void handleException(Exception ex) { logger.error("Simple error message", ex); ... Veracode scan says that this logging has Improper Output Neutralization for Logs and suggest to use ESAPI logger. Is there any way how to fix this vulnerability without changing logger to ESAPI? This is the only place in code where I faced this issue and I try to figure out how

问题 I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new SqlConnectionStringBuilder(); if (!string.IsNullOrEmpty(dbConfig.DataSource)) csBuilder.DataSource = dbConfig.DataSource; if (!string.IsNullOrEmpty(dbConfig.Database)) csBuilder.InitialCatalog = dbConfig.Database; . . . . return new SqlConnection(csBuilder.ConnectionString); }); } The client is

问题 I have done the following... private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig) { return new QcDbConnectionProvider(() => { SqlConnectionStringBuilder csBuilder = new SqlConnectionStringBuilder(); if (!string.IsNullOrEmpty(dbConfig.DataSource)) csBuilder.DataSource = dbConfig.DataSource; if (!string.IsNullOrEmpty(dbConfig.Database)) csBuilder.InitialCatalog = dbConfig.Database; . . . . return new SqlConnection(csBuilder.ConnectionString); }); } The client is

问题 Normally i scan my code changes using veracode to detect security vulnerabilities. Now there is a string in DB which i am collecting in a string called custFunctionality and previously i was displaying this in jsp as : out.println(<%= custFunctionality %>); Well veracode scanned it and let me know that it constitutes a security defect. So i used c: out here as : <c:out escapexml='false' value='${custFunctionality }'/> Now the problem here is that the string consists of html related mark up

问题 A hybrid webforms/mvc asp.net application using .Net Framework 4.7 has been tagged with the "Session Fixation" vulnerability in a Veracode dynamic scan. What this means is that Veracode gets the login page, alters the SessionId cookie (ASP.NET_SessionId), and then posts with a valid userid and password to do the login. ASP.Net logs in the user, but takes this altered SessionId cookie and continues to use it; that behavior of using that injected SessionId value is the flaw. In other words,

问题 We are developing an MVC 5 Application and while we ran security scan using Veracode we are getting the below flaw saying "Improperly Controlled Modification of Dynamically-Determined Object Attributes" And added this link as reference to fix. Tried implementing Bind Attribute to my Controllers functions with HTTP Post and the issue is fixed. So in ASP.NET MVC is it mandatory to use Bind Attribute for all the Post to avoid security violation ? Or can i ignore this flaw or any other

问题 I am getting veracode issue in the below line <input type = "hidden" name = "studentName" value = "<%=viewBean.getStudName()%>"> The issue is on <%=viewBean.getStudName()%> Here, the issue reported is "Improper Neutralization of Script-Related HTML tags in a web page(Basic XSS). I have tried the fix given in cwe.mitre.org but I could not apply it properly. Can anyone help on this how to overcome the issue? 回答1: use <c:out value=${viewBean.studName}/> instead it escapes XML 回答2: As per CWE ,