Vulnerability
| Questions
|
SQL Injection
|
- Non-validated input used to generate SQL queries
|
- Is the application susceptible to SQL injection?
- Does the code use parameterized stored procedures?
- Does the code use parameters in SQL statements?
- Does the code attempt to filter input?
|
Cross-Site Scripting
|
- Unvalidated and untrusted input in the HTML output stream
|
- Does the code echo user input or URL parameters back to a Web page?
- Does the code persist user input or URL parameters to a data store that could later be displayed on a Web page?
|
Input/Data Validation
|
- Reliance on client-side validation
- Use of input file names, URLs, or user names for security decisions
- Application-only filters for malicious input
|
- Does the code rely on client-side validation?
- Does the code accept path or file-based input?
- Does the code validate data from all sources?
- Does the code use a centralized approach to input and data validation?
- Does the code validate URLs?
- Does the code use MapPath?
|
Authentication
|
- Weak passwords
- Clear text credentials in configuration files
- Passing clear text credentials over the network
- Long sessions
- Mixing personalization with authentication
|
- Does the code enforce strong user management policies?
- Does the code partition the Web site into restricted and public access areas?
- Does the code use protection="All"?
- Does the code restrict authentication cookies to HTTPS connections?
- Does the code use SHA1 for HMAC generation and AES for encryption?
- Does the code reduce ticket life time?
- Does the code keep personalization cookies separate from authentication cookies?
- Does the code use distinct cookie names and paths?
|
Forms Authentication
|
- Failure to protect the forms authentication cookie
- Forms authentication cookies are shared by multiple applications
- Passwords are stored in a database in clear-text
|
- Does the code persist forms authentication cookies?
- Does the code reduce ticket life time?
- Does the code use protection="All"?
- Does the code restrict authentication cookies to HTTPS connections?
- Does the code use SHA1 for HMAC generation and AES for encryption?
- Does the code keep personalization cookies separate from authentication cookies?
- Does the code use distinct cookie names and paths?
- How does the code store passwords in databases?
|
Authoriztion
|
- Reliance on a single gatekeeper
|
- How does the code protect access to restricted pages?
- How does the code protect access to page classes?
- Does the code use Server.Transfer?
|
Code Access Security
|
- Improper use of link demands or asserts
- Code allows untrusted callers
|
- Does the code use link demands or assert calls?
- Does the code use AllowPartiallyTrustedCallersAttribute?
- Does the code use potentially dangerous permissions?
- Does the code give dependencies too much trust?
|
Exception Management
|
- Failing to use structured exception handling
- Revealing too much information to the client
|
- Does the code handle errors and exception conditions?
- Does the application fail securely in the event of exceptions?
- Does the application expose sensitive information in user sessions?
|
Impersonation
|
- Revealing service account credentials to the client
- Code executes with higher privileges than expected
|
- Does the application use hard-coded impersonation credentials?
- Does the application clean up properly when it uses impersonation?
|
Sensitive Data
|
- Storing secrets in code
- Storing secrets in clear text
- Passing sensitive data in clear text over networks
|
- Does the code store secrets?
- Is sensitive data stored in predictable locations?
- Does the code store secrets?
|
Data Access
|
- Failing to protect database connection strings
- Using over-privileged accounts to access SQL Server
|
- Does the application use SQL authentication?
- How does the application store database connection strings?
|
Cryptography
|
- Using custom cryptography
- Using the wrong algorithm or too small a key size
- Failing to secure encryption keys
- Using the same key for a prolonged period of time
|
- Does the code use custom cryptographic algorithms?
- Does the code use the correct algorithm and an adequate key size?
- Does the code generate random numbers for cryptographic purposes?
- How does the code manage and store encryption keys?
|
Unsafe Code
|
- Buffer overrun in unmanaged code or code marked /unsafe
- Integer overflow in unmanaged code or code marked /unsafe
- Format string problem in unmanaged code or code marked /unsafe
- Array out of bounds in unmanaged code or code marked /unsafe
|
- Is the code susceptible to buffer overruns?
- Is the code susceptible to integer overflows?
- Is the code susceptible to format string problems?
- Is the code susceptible to array out of bound errors?
|
Potentially Dangerous Unmanaged APIs
|
- A potentially dangerous unmanaged API is called improperly
|
- Does the code call potentially dangerous unmanaged APIs?
|
Auditing and Logging
|
- Sensitive data revealed in logs
|
- Does the application log sensitive data?
|