ASP.NET Scan rules
Contrast Scan supports these rules for ASP.NET.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Dangerous App Setting | OPT.ASPNET.DangerousAppSetting | DangerousAppSetting: Dangerous application setting |
Critical | Too Broad CORS Policy | OPT.ASPNET.TooBroadCORSPolicy | TooBroadCORSPolicy: CORS policy (Cross-Origin Resource Sharing) too broad |
Critical | CBII | OPT.ASPNET.CBII | CBII: Use code-behind files |
Critical | Respect MVC | OPT.ASPNET.CBNC | CBNC: Respect MVC |
Critical | Enable View State Mac | OPT.ASPNET.EnableViewStateMac | EnableViewStateMac: Do not set EnableViewStateMac {'OWASP-2021': ['A5'], 'PCI-DSS': ['6.5.1']} |
Critical | Cross Site Scripting | OPT.ASPNET.CrossSiteScripting | CrossSiteScripting: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
High | Avoid Enabled Debug Mode | OPT.ASPNET.AvoidEnabledDebugMode | AvoidEnabledDebugMode: ASP.NET Misconfiguration: Creating Debug Binary |
High | Clickjacking Protection | OPT.ASPNET.ClickjackingProtection | ClickjackingProtection: No clickjacking protection configured |
High | Re DoS In Regular Expression Validator | OPT.ASPNET.ReDoSInRegularExpressionValidator | ReDoSInRegularExpressionValidator: Regular expression in RegularExpressionValidator may be used for denial of service |
High | Session Hijacking Misconfiguration | OPT.ASPNET.SessionHijackingMisconfiguration | SessionHijackingMisconfiguration: A misconfiguration makes easier performing Session hijacking attacks |
High | Trace Enabled | OPT.ASPNET.TraceEnabled | TraceEnabled: Trace information enabled and remotely accessible |
High | Unprotected Roles In Cookies | OPT.ASPNET.UnprotectedRolesInCookies | UnprotectedRolesInCookies: Unprotected roles in cookies |
High | WCF Audit Misconfiguration | OPT.ASPNET.WCFAuditMisconfiguration | WCFAuditMisconfiguration: Audit of security events misconfiguration in WCF |
High | WCF Transport Security | OPT.ASPNET.WCFTransportSecurity | WCFTransportSecurity: Do not use transport security mode in WCF |
High | Avoid Impersonation | OPT.ASPNET.AvoidImpersonation | AvoidImpersonation: Avoid impersonation in ASP.Net configuration |
High | HTTP Verb Tampering | OPT.ASPNET.HTTPVerbTampering | HTTPVerbTampering: Misconfiguration in authorization rules allowing HTTP Verb Tampering |
High | Header Validation Misconfiguration | OPT.ASPNET.HeaderValidationMisconfiguration | HeaderValidationMisconfiguration: Unvalidated data in HTTP response header ('HTTP Response Splitting') |
High | Path Relative Stylesheet Import | OPT.ASPNET.PathRelativeStylesheetImport | PathRelativeStylesheetImport: Path-Relative Stylesheet Import. |
High | Target Blank Vulnerability | OPT.ASPNET.TargetBlankVulnerability | TargetBlankVulnerability: Improper Neutralization of links to external sites |
High | Credentials Misconfiguration | OPT.ASPNET.CredentialsMisconfiguration | CredentialsMisconfiguration: Password exposure in Web.config file |
High | Prevent MIME Sniffing | OPT.ASPNET.PreventMIMESniffing | PreventMIMESniffing: Prevent MIME sniffing |
Low | Don't use masterpage files | OPT.ASPNET.MP | MP: Don't use masterpage files |
Low | Form Without Captcha | OPT.ASPNET.FormWithoutCaptcha | FormWithoutCaptcha: Form without CAPTCHA |
Medium | Authentication Forms Without SSL | OPT.ASPNET.AuthenticationFormsWithoutSSL | AuthenticationFormsWithoutSSL: If authentication is through Forms enable the sending of information through SSL |
Medium | Avoid Disabled Validate Request | OPT.ASPNET.AvoidDisabledValidateRequest | AvoidDisabledValidateRequest: The value of ValidateRequest in pages must be set to true to prevent code injection attacks |
Medium | Avoid Disabled Validate Request Config | OPT.ASPNET.AvoidDisabledValidateRequestConfig | AvoidDisabledValidateRequestConfig: The validateRequest attribute value should be true to prevent code injection attacks |
Medium | Avoid Send Cookies Unencrypted HTTP | OPT.ASPNET.AvoidSendCookiesUnencryptedHTTP | AvoidSendCookiesUnencryptedHTTP: Sending of cookies should be enabled only by HTTP |
Medium | Avoid Send Cookies Without SSL | OPT.ASPNET.AvoidSendCookiesWithoutSSL | AvoidSendCookiesWithoutSSL: Send Cookies using SSL |
Medium | Directory Browsing | OPT.ASPNET.DirectoryBrowsing | DirectoryBrowsing: Directory Browsing enabled |
Medium | Forms Authenticacion Timeout | OPT.ASPNET.FormsAuthenticacionTimeout | FormsAuthenticacionTimeout: Set expiration timeout for authentication cookies |
Medium | Service Metadata Visibility | OPT.ASPNET.ServiceMetadataVisibility | ServiceMetadataVisibility: Service metadata exposure |
Medium | WCF Avoid Enabled Debug | OPT.ASPNET.WCFAvoidEnabledDebug | WCFAvoidEnabledDebug: Avoid enabling WCF debug information |
Medium | Avoid Empty Files | OPT.ASPNET.AvoidEmptyFiles | AvoidEmptyFiles: Avoid empty files |
Medium | Avoid Enabled View State Mode Page | OPT.ASPNET.AvoidEnabledViewStateModePage | AvoidEnabledViewStateModePage: Avoid enable ViewStateMode at page level |
Medium | Avoid Use Style Of Controls | OPT.ASPNET.AvoidUseStyleOfControls | AvoidUseStyleOfControls: Avoid using styles by tags attributes. Use the CssClass attribute |
Medium | Enable Custom Error Page | OPT.ASPNET.EnableCustomErrorPage | EnableCustomErrorPage: ASP.NET Misconfiguration: Missing Custom Error Page |
Medium | Avoid Content Delivery Network | OPT.ASPNET.AvoidContentDeliveryNetwork | AvoidContentDeliveryNetwork: Do not use Content Delivery Network (CDN) for JavaScript code |
Medium | Specify Integrity Attribute | OPT.ASPNET.SpecifyIntegrityAttribute | SpecifyIntegrityAttribute: Specify a integrity attribute on the <script> and <link> elements |
Medium | Credentials In Connection String | OPT.ASPNET.CredentialsInConnectionString | CredentialsInConnectionString: Insufficiently protected credentials in connection strings |
Medium | Persist Security Info True | OPT.ASPNET.PersistSecurityInfoTrue | PersistSecurityInfoTrue: Persist Security Info enabled in connection strings |