Content Pack Version - CP.8.9.0.60123 (C#)

Owned by Johannes Stark (Unlicensed)
Last updated: May 11, 2020 by Ismael Vilas Boas
2 min read

Installation

When installing the content packs, you have to follow the procedures outlined in CxSAST 8.9.0 Ruleset Content Packs: Installation

Installation Order

Since this is not a cumulative content pack for the Java content, both content packs must be installed to obtain improvements for Java and C#.

The content packs must always be installed in an ascending order according to the version number.

Content

Each rule set content pack includes improvements to queries, and optionally also to presets. Technically, these changes are delivered through DB upgrade scripts, which affect relevant tables.

Detailed content descriptions can be found in the table below:

This content pack (CP) is targeting the C# language only. It contains improvements for queries and extends the Checkmarx Express presets available in previous content packs.

In this rule set content pack, the following improvements were obtained for C# after installing Checkmarx Express:

  • At High Risk queries, the accuracy has improved by 39%
  • At Medium Threat queries, the accuracy has improved by 2%
Although this content pack may introduce new results, its main goal is to reduce the number of False Positive results and improve the accuracy.

The following improvements for C# queries were obtained:

  • Improve sinks on Code Injection with script and async APIs
  • Improve Connection String Injection sanitizers to remove static strings
  • Improve Deserialization of untrusted data sinks to include binary formatters and serialization binders
  • Improve Resource Injection sanitizers to consider string sanitization methods, encodings and white list validation
  • Improve Stored XSS sanitizers
  • Improve XPath Injection and Stored XPath Injection sanitizers
  • Improve Stored Code Injection sanitizers with Compiler Options Output Assembly 
  • Improve DB Parameter Tampering sanitizers with authorization validations
  • Improve DOS By Sleep sanitizers when using properly configured SpinWait and ThreadSleep APIs
  • Improve Hardcoded Password in connection string inputs when using variables containing static strings
  • Improve Heap Inspection to avoid bad results on page views controls
  • Improve SQL Injection Evasion Attack sanitizers extending with more decoding APIs
  • Improve Trust Boundary Violation sanitizers with numeric types and sinks with session saves
  • Improve Use of Hardcoded Cryptographic Key sanitizers to avoid OUID and consider decrypted values as safe
  • Improve Missing HSTS Header to support further time span APIs when using bad configuration
  • Improve ASP MVC controller support
  • Improve ASP MVC/Razor XSRF token support
  • Improve general sanitization when using whitelist mappings and numeric APIs
  • Improve Entity Framework APIs support 
  • Improve Database support for async APIs
  • Improve Database LINQ supported APIs
  • Improve Salesforce Database supported APIs
  • Improve support for Safe hashing algorithms
  • Improve Deserialization of untrusted data 
  • Rewrite Unsafe Object Binding with improved sources and sinks

It also includes an extended version of Checkmarx Express, which contains 38 C# queries:

 List of queries included with Checkmarx Express

CSharp.High_Risk.Code_Injection
CSharp.High_Risk.Command_Injection
CSharp.High_Risk.Connection_String_Injection
CSharp.High_Risk.LDAP_Injection
CSharp.High_Risk.Reflected_XSS_All_Clients
CSharp.High_Risk.Resource_Injection
CSharp.High_Risk.Second_Order_SQL_Injection
CSharp.High_Risk.SQL_Injection
CSharp.High_Risk.Stored_XSS
CSharp.High_Risk.XPath_Injection
CSharp.Low_Visibility.Use_Of_Hardcoded_Password
CSharp.Low_Visibility.Log_Forging
CSharp.Low_Visibility.Open_Redirect
CSharp.Medium_Threat.DB_Parameter_Tampering
CSharp.Medium_Threat.DoS_by_Sleep
CSharp.Medium_Threat.Path_Traversal
CSharp.Medium_Threat.Use_of_Hard_coded_Cryptographic_Key
CSharp.Medium_Threat.Hardcoded_password_in_Connection_String
CSharp.Medium_Threat.Privacy_Violation
CSharp.Medium_Threat.ReDoS_By_Regex_Injection
CSharp.Medium_Threat.SQL_Injection_Evasion_Attack
CSharp.Medium_Threat.Trust_Boundary_Violation
CSharp.Medium_Threat.XSRF
CSharp.Medium_Threat.Session_Fixation
CSharp.Medium_Threat.Use_of_Cryptographically_Weak_PRNG
CSharp.Low_Visibility.Use_Of_Broken_Or_Risky_Cryptographic_Algorithm
CSharp.Medium_Threat.HttpOnlyCookies
CSharp.Medium_Threat.MVC_View_Injection
CSharp.Medium_Threat.No_Request_Validation
CSharp.Medium_Threat.Stored_LDAP_Injection
CSharp.Medium_Threat.Stored_XPath_Injection
CSharp.Medium_Threat.Insecure_Cookie
CSharp.Medium_Threat.Improper_Restriction_of_XXE_Ref
CSharp.Medium_Threat.Heap_Inspection
CSharp.Medium_Threat.Unsafe_Object_Binding
CSharp.High_Risk.Deserialization_of_Untrusted_Data
CSharp.Medium_Threat.Missing_HSTS_Header
CSharp.High_Risk.Deserialization_of_Untrusted_Data_MSMQ

Concerning the accuracy improvements, the following queries are improved by installing this content pack,

 Click here to see the list of queries improved by the content pack

CSharp.CSharp_Best_Coding_Practice.Dynamic_SQL_Queries
CSharp.CSharp_Heuristic.Heuristic_2nd_Order_SQL_Injection
CSharp.CSharp_Heuristic.Heuristic_DB_Parameter_Tampering
CSharp.CSharp_Heuristic.Heuristic_Parameter_Tampering
CSharp.CSharp_Heuristic.Heuristic_SQL_Injection
CSharp.CSharp_Heuristic.Heuristic_Stored_XSS
CSharp.CSharp_Heuristic.Heuristic_XSRF
CSharp.CSharp_High_Risk.Code_Injection
CSharp.CSharp_High_Risk.Command_Injection
CSharp.CSharp_High_Risk.Connection_String_Injection
CSharp.CSharp_High_Risk.Deserialization_of_Untrusted_Data
CSharp.CSharp_High_Risk.Deserialization_of_Untrusted_Data_MSMQ
CSharp.CSharp_High_Risk.LDAP_Injection
CSharp.CSharp_High_Risk.Reflected_XSS_All_Clients
CSharp.CSharp_High_Risk.Resource_Injection
CSharp.CSharp_High_Risk.Second_Order_SQL_Injection
CSharp.CSharp_High_Risk.Stored_XSS
CSharp.CSharp_High_Risk.UTF7_XSS
CSharp.CSharp_High_Risk.XPath_Injection
CSharp.CSharp_Medium_Threat.Buffer_Overflow
CSharp.CSharp_Medium_Threat.CGI_XSS
CSharp.CSharp_Medium_Threat.Cookie_Injection
CSharp.CSharp_Medium_Threat.Data_Filter_Injection
CSharp.CSharp_Medium_Threat.DB_Parameter_Tampering
CSharp.CSharp_Medium_Threat.DoS_by_Sleep
CSharp.CSharp_Medium_Threat.Hardcoded_password_in_Connection_String
CSharp.CSharp_Medium_Threat.Heap_Inspection
CSharp.CSharp_Medium_Threat.HTTP_Response_Splitting
CSharp.CSharp_Medium_Threat.Improper_Restriction_of_XXE_Ref
CSharp.CSharp_Medium_Threat.Insufficient_Connection_String_Encryption
CSharp.CSharp_Medium_Threat.Missing_Column_Encryption
CSharp.CSharp_Medium_Threat.MVC_View_Injection
CSharp.CSharp_Medium_Threat.Parameter_Tampering
CSharp.CSharp_Medium_Threat.Path_Traversal
CSharp.CSharp_Medium_Threat.Persistent_Connection_String
CSharp.CSharp_Medium_Threat.Privacy_Violation
CSharp.CSharp_Medium_Threat.ReDoS_By_Regex_Injection
CSharp.CSharp_Medium_Threat.ReDoS_In_Code
CSharp.CSharp_Medium_Threat.Reflected_XSS_Specific_Clients
CSharp.CSharp_Medium_Threat.Session_Fixation
CSharp.CSharp_Medium_Threat.SQL_Injection_Evasion_Attack
CSharp.CSharp_Medium_Threat.Stored_Command_Injection
CSharp.CSharp_Medium_Threat.Stored_LDAP_Injection
CSharp.CSharp_Medium_Threat.Stored_XPath_Injection
CSharp.CSharp_Medium_Threat.Trust_Boundary_Violation
CSharp.CSharp_Medium_Threat.Unsafe_Object_Binding
CSharp.CSharp_Medium_Threat.Use_of_Hard_coded_Cryptographic_Key
CSharp.CSharp_Medium_Threat.XSRF
CSharp.CSharp_Low_Visibility.Blind_SQL_Injections
CSharp.CSharp_Low_Visibility.Cleansing_Canonicalization_and_Comparison_Errors
CSharp.CSharp_Low_Visibility.Dangerous_File_Upload
CSharp.CSharp_Low_Visibility.Impersonation_Issue
CSharp.CSharp_Low_Visibility.Improper_Exception_Handling
CSharp.CSharp_Low_Visibility.Information_Exposure_Through_an_Error_Message
CSharp.CSharp_Low_Visibility.Insufficiently_Protected_Credentials
CSharp.CSharp_Low_Visibility.JavaScript_Hijacking
CSharp.CSharp_Low_Visibility.Leaving_Temporary_Files
CSharp.CSharp_Low_Visibility.Log_Forging
CSharp.CSharp_Low_Visibility.Open_Redirect
CSharp.CSharp_Low_Visibility.Potential_ReDoS
CSharp.CSharp_Low_Visibility.Potential_ReDoS_By_Injection
CSharp.CSharp_Low_Visibility.Potential_ReDoS_In_Code
CSharp.CSharp_Low_Visibility.Potential_ReDoS_In_Static_Field
CSharp.CSharp_Low_Visibility.Stored_Code_Injection
CSharp.CSharp_Low_Visibility.Thread_Safety_Issue
CSharp.CSharp_Low_Visibility.Use_of_RSA_Algorithm_without_OAEP
CSharp.CSharp_Low_Visibility.XSS_Evasion_Attack
CSharp.CSharp_Windows_Phone.Client_Side_Injection
CSharp.CSharp_Windows_Phone.Insecure_Data_Storage
CSharp.CSharp_Windows_Phone.Poor_Authorization_and_Authentication

The changes were made over several queries to provide the improvements.

 Click here to see the list of queries changed by the content pack

CSharp_High_Risk.Code_Injection.cxq
CSharp_High_Risk.Connection_String_Injection.cxq
CSharp_High_Risk.Deserialization_of_Untrusted_Data_MSMQ.cxq
CSharp_High_Risk.Resource_Injection.cxq
CSharp_High_Risk.Second_Order_SQL_Injection.cxq
CSharp_High_Risk.Stored_XSS.cxq
CSharp_High_Risk.XPath_Injection.cxq
CSharp_Low_Visibility.Improper_Exception_Handling.cxq
CSharp_Low_Visibility.Stored_Code_Injection.cxq
CSharp_Medium_Threat.DB_Parameter_Tampering.cxq
CSharp_Medium_Threat.DoS_by_Sleep.cxq
CSharp_Medium_Threat.Hardcoded_password_in_Connection_String.cxq
CSharp_Medium_Threat.Heap_Inspection.cxq
CSharp_Medium_Threat.SQL_Injection_Evasion_Attack.cxq
CSharp_Medium_Threat.Stored_XPath_Injection.cxq
CSharp_Medium_Threat.Trust_Boundary_Violation.cxq
CSharp_Medium_Threat.Use_of_Hard_coded_Cryptographic_Key.cxq
General.Find_ASP_MVC_Controllers.cxq
General.Find_ASP_MVC_Outputs.cxq
General.Find_ASP_MVC_XSRF.cxq
General.Find_CollectionAccesses.cxq
General.Find_Command_Injection_Sanitize.cxq
General.Find_Connection_String.cxq
General.Find_Connection_String_Sanitize.cxq
General.Find_DB_Command_DataSource_QSqlQuery.cxq
General.Find_DB_Command_ExecuteNonQuery.cxq
General.Find_DB_EF_In.cxq
General.Find_DB_Entlib_Execute.cxq
General.Find_DB_Ibatis.cxq
General.Find_DB_Linq_Full.cxq
General.Find_DB_Out.cxq
General.Find_DB_Salesforce.cxq
General.Find_DB_Sqlite_Xamarin.cxq
General.Find_Deserialization_Sanitizers.cxq
General.Find_FileSystem_Read.cxq
General.Find_Hashing_Functions.cxq
General.Find_Inherited_Classes.cxq
General.Find_Insecure_Hash.cxq
General.Find_Integers.cxq
General.Find_Interactive_Inputs.cxq
General.Find_Match.cxq
General.Find_ReDoS.cxq
General.Find_Read.cxq
General.Find_Regex.cxq
General.Find_Regex_Safe_Arguments.cxq
General.Find_Replace.cxq
General.Find_Request.cxq
General.Find_SQL_Sanitize.cxq
General.Find_Sanitize.cxq
General.Find_Secure_Hash.cxq
General.Find_Stored_Inputs.cxq
General.Find_Unsafe_DeserializeObject.cxq
General.Find_Unsafe_Deserializers.cxq
General.Find_Unsafe_Implementation_of_SerializationBinder.cxq
General.Find_XPath_Injection_Sanitizers.cxq
General.Find_XPath_Output.cxq
General.Find_XSS_Outputs.cxq
General.Get_Controller_Of_View.cxq
General.Get_Rightmost_Members_From_References.cxq
Common_High_Risk.Deserialization_of_Untrusted_Data.cxq


Read More