true, any certificate will pass validation. CA5360: Do not call dangerous methods in deserialization Insecure deserialization is a vulnerability that occurs when untrusted data is used to abuse the logic of an application, inflict a Denial-of-Service (DoS) attack, or even execute arbitrary code upon it being deserialized. It's frequently possible for malicious users to abuse these deserialization features when the application is deserializing untrusted data that is under their control. Specifically, invoke dangerous methods in the process of deserialization. Successful insecure deserialization attacks could allow an attacker to carry out attacks such as DoS attacks, authentication bypasses, and remote code execution. CA5361: Do not disable SChannel use of strong crypto Setting Switch.System.Net.DontEnableSchUseStrongCrypto to true weakens the cryptography used in outgoing Transport Layer Security (TLS) connections. Weaker cryptography can compromise the confidentiality of communication between your application and the server, making it easier for attackers to eavesdrop sensitive data. CA5362: Potential reference cycle in deserialized object graph If deserializing untrusted data, then any code processing the deserialized object graph needs to handle reference cycles without going into infinite loops. This includes both code that's part of a deserialization callback and code that processes the object graph after deserialization completed. Otherwise, an attacker could perform a Denial-of-Service attack with malicious data containing a reference cycle. CA5363: Do not disable request validation Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content that can lead to injection attacks, including cross-site-scripting. CA5364: Do not use deprecated security protocols Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. CA5365: Do Not Disable HTTP Header Checking HTTP header checking enables encoding of the carriage return and newline characters, \r and \n, that are found in response headers. This encoding can help to avoid injection attacks that exploit an application that echoes untrusted data contained by the header. CA5366: Use XmlReader For DataSet Read XML Using a DataSet to read XML with untrusted data may load dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. CA5367: Do Not Serialize Types With Pointer Fields This rule checks whether there's a serializable class with a pointer field or property. Members that can't be serialized can be a pointer, such as static members or fields marked with NonSerializedAttribute. CA5368: Set ViewStateUserKey For Classes Derived From Page Setting the ViewStateUserKey property can help you prevent attacks on your application by allowing you to assign an identifier to the view-state variable for individual users so that attackers cannot use the variable to generate an attack. Otherwise, there will be vulnerabilities to cross-site request forgery. CA5369: Use XmlReader for Deserialize Processing untrusted DTD and XML schemas may enable loading dangerous external references, which should be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled. CA5370: Use XmlReader for validating reader Processing untrusted DTD and XML schemas may enable loading dangerous external references. This dangerous loading can be restricted by using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled. CA5371: Use XmlReader for schema read Processing untrusted DTD and XML schemas may enable loading dangerous external references. Using an XmlReader with a secure resolver or with DTD and XML inline schema processing disabled restricts this. CA5372: Use XmlReader for XPathDocument Processing XML from untrusted data may load dangerous external references, which can be restricted by using an XmlReader with a secure resolver or with DTD processing disabled. CA5373: Do not use obsolete key derivation function This rule detects the invocation of weak key derivation methods System.Security.Cryptography.PasswordDeriveBytes and Rfc2898DeriveBytes.CryptDeriveKey. System.Security.Cryptography.PasswordDeriveBytes used a weak algorithm PBKDF1. CA5374: Do Not Use XslTransform This rule checks if System.Xml.Xsl.XslTransform is instantiated in the code. System.Xml.Xsl.XslTransform is now obsolete and shouldn't be used. CA5375: Do not use account shared access signature An account SAS can delegate access to read, write, and delete operations on blob containers, tables, queues, and file shares that are not permitted with a service SAS. However, it doesn't support container-level policies and has less flexibility and control over the permissions that are granted. Once malicious users get it, your storage account will be compromised easily. CA5376: Use SharedAccessProtocol HttpsOnly SAS is sensitive data that can't be transported in plain text on HTTP. CA5377: Use container level access policy A container-level access policy can be modified or revoked at any time. It provides greater flexibility and control over the permissions that are granted. CA5378: Do not disable ServicePointManagerSecurityProtocols Setting DisableUsingServicePointManagerSecurityProtocols to true limits Windows Communication Framework's (WCF) Transport Layer Security (TLS) connections to using TLS 1.0. That version of TLS will be deprecated. CA5379: Ensure key derivation function algorithm is sufficiently strong The Rfc2898DeriveBytes class defaults to using the SHA1 algorithm. You should specify the hash algorithm to use in some overloads of the constructor with SHA256 or higher. Note, HashAlgorithm property only has a get accessor and doesn't have a overridden modifier. CA5380: Do not add certificates to root store This rule detects code that adds a certificate into the Trusted Root Certification Authorities certificate store. By default, the Trusted Root Certification Authorities certificate store is configured with a set of public CAs that has met the requirements of the Microsoft Root Certificate Program. CA5381: Ensure certificates are not added to root store This rule detects code that potentially adds a certificate into the Trusted Root Certification Authorities certificate store. By default, the Trusted Root Certification Authorities certificate store is configured with a set of public certification authorities (CAs) that has met the requirements of the Microsoft Root Certificate Program. CA5382: Use secure cookies in ASP.NET Core Applications available over HTTPS must use secure cookies, which indicate to the browser that the cookie should only be transmitted using Transport Layer Security (TLS). CA5383: Ensure use secure cookies in ASP.NET Core Applications available over HTTPS must use secure cookies, which indicate to the browser that the cookie should only be transmitted using Transport Layer Security (TLS). CA5384: Do not use digital signature algorithm (DSA) DSA is a weak asymmetric encryption algorithm. CA5385: Use RivestâShamirâAdleman (RSA) algorithm with sufficient key size An RSA key smaller than 2048 bits is more vulnerable to brute force attacks. CA5386: Avoid hardcoding SecurityProtocolType value Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version and target at least .NET Framework v4.7.1. CA5387: Do not use weak key derivation function with insufficient iteration count This rule checks if a cryptographic key was generated by Rfc2898DeriveBytes with an iteration count of less than 100,000. A higher iteration count can help mitigate against dictionary attacks that try to guess the generated cryptographic key. CA5388: Ensure sufficient iteration count when using weak key derivation function This rule checks if a cryptographic key was generated by Rfc2898DeriveBytes with an iteration count that may be less than 100,000. A higher iteration count can help mitigate against dictionary attacks that try to guess the generated cryptographic key. CA5389: Do not add archive item's path to the target file system path File path can be relative and can lead to file system access outside of the expected file system target path, leading to malicious config changes and remote code execution via lay-and-wait technique. CA5390: Do not hard-code encryption key For a symmetric algorithm to be successful, the secret key must be known only to the sender and the receiver. When a key is hard-coded, it is easily discovered. Even with compiled binaries, it is easy for malicious users to extract it. Once the private key is compromised, the cipher text can be decrypted directly and is not protected anymore. CA5391: Use antiforgery tokens in ASP.NET Core MVC controllers Handling a POST, PUT, PATCH, or DELETE request without validating an antiforgery token may be vulnerable to cross-site request forgery attacks. A cross-site request forgery attack can send malicious requests from an authenticated user to your ASP.NET Core MVC controller. CA5392: Use DefaultDllImportSearchPaths attribute for P/Invokes By default, P/Invoke functions using DllImportAttribute probe a number of directories, including the current working directory for the library to load. This can be a security issue for certain applications, leading to DLL hijacking. CA5393: Do not use unsafe DllImportSearchPath value There could be a malicious DLL in the default DLL search directories and assembly directories. Or, depending on where your application is run from, there could be a malicious DLL in the application's directory. CA5394: Do not use insecure randomness Using a cryptographically weak pseudo-random number generator may allow an attacker to predict what security-sensitive value will be generated. CA5395: Miss HttpVerb attribute for action methods All the action methods that create, edit, delete, or otherwise modify data needs to be protected with the antiforgery attribute from cross-site request forgery attacks. Performing a GET operation should be a safe operation that has no side effects and doesn't modify your persisted data. CA5396: Set HttpOnly to true for HttpCookie As a defense in depth measure, ensure security sensitive HTTP cookies are marked as HttpOnly. This indicates web browsers should disallow scripts from accessing the cookies. Injected malicious scripts are a common way of stealing cookies. CA5397: Do not use deprecated SslProtocols values Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Older protocol versions of TLS are less secure than TLS 1.2 and TLS 1.3 and are more likely to have new vulnerabilities. Avoid older protocol versions to minimize risk. CA5398: Avoid hardcoded SslProtocols values Transport Layer Security (TLS) secures communication between computers, most commonly with Hypertext Transfer Protocol Secure (HTTPS). Protocol versions TLS 1.0 and TLS 1.1 are deprecated, while TLS 1.2 and TLS 1.3 are current. In the future, TLS 1.2 and TLS 1.3 may be deprecated. To ensure that your application remains secure, avoid hardcoding a protocol version. CA5399: Definitely disable HttpClient certificate revocation list check A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication. CA5400: Ensure HttpClient certificate revocation list check is not disabled A revoked certificate isn't trusted anymore. It could be used by attackers passing some malicious data or stealing sensitive data in HTTPS communication. CA5401: Do not use CreateEncryptor with non-default IV Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. CA5402: Use CreateEncryptor with the default IV Symmetric encryption should always use a non-repeatable initialization vector to prevent dictionary attacks. CA5403: Do not hard-code certificate The data or rawData parameter of a X509Certificate or X509Certificate2 constructor is hard-coded. CA5404: Do not disable token validation checks TokenValidationParameters properties that control token validation should not be set to false. CA5405: Do not always skip token validation in delegates The callback assigned to AudienceValidator or LifetimeValidator always returns true.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4