C#/.NET Security¶
The csharp-security pack enforces security rules for C# and .NET applications across ASP.NET Core and .NET Framework, covering injection, unsafe deserialization, cryptographic failures, TLS validation, and web misconfiguration.
Enable¶
Auto-suggested when Sentrik detects *.csproj, *.sln, or *.cs files in your project.
Rules¶
The pack includes 18 rules:
Injection (3)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| CS-SQL-001 | SQL Injection | critical | Concatenation/interpolation in SqlCommand/CommandText |
| CS-SQL-002 | SQL Injection | critical | Interpolated strings in EF Core FromSqlRaw/ExecuteSqlRaw |
| CS-CMD-001 | Command Injection | critical | Concatenated input in Process.Start arguments |
Deserialization & XML (3)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| CS-DESER-001 | Deserialization | critical | BinaryFormatter and related insecure formatters |
| CS-DESER-002 | Deserialization | high | Newtonsoft TypeNameHandling other than None |
| CS-XXE-001 | XXE | high | DTD processing or XmlUrlResolver on untrusted XML |
Cryptography (4)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| CS-CRYPTO-001 | Hashing | high | MD5/SHA-1 usage |
| CS-CRYPTO-002 | Encryption | high | DES/3DES/RC2 ciphers |
| CS-CRYPTO-003 | Encryption | high | CipherMode.ECB |
| CS-CRYPTO-004 | Randomness | medium | System.Random for tokens/salts/secrets |
TLS, paths, and secrets (3)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| CS-TLS-001 | Certificate Validation | critical | Validation callbacks returning true / DangerousAcceptAnyServerCertificateValidator |
| CS-PATH-001 | Path Traversal | high | File paths built from Request/Query/Form data |
| CS-SECRET-001 | Secrets | medium | Hardcoded passwords/API keys/connection credentials |
Web configuration (5)¶
| ID | Category | Severity | Description |
|---|---|---|---|
| CS-CFG-001 | Configuration | medium | debug="true" compilation in web.config |
| CS-WEB-001 | Input Validation | high | ASP.NET request validation disabled |
| CS-WEB-002 | Cookies | medium | Cookies without Secure/HttpOnly |
| CS-WEB-003 | CORS | high | AllowAnyOrigin combined with AllowCredentials |
| CS-WEB-004 | JWT | high | Token validation checks disabled |
Framework mapping¶
Rules carry OWASP Top 10 tags (owasp-a01 through owasp-a08) so findings roll up into OWASP compliance reports alongside the owasp-top-10 pack.
Tier¶
Team tier and above. See pricing.