Skip to content

C#/.NET Security

The csharp-security pack enforces security rules for C# and .NET applications across ASP.NET Core and .NET Framework, covering injection, unsafe deserialization, cryptographic failures, TLS validation, and web misconfiguration.

Enable

sentrik add-pack csharp-security

Auto-suggested when Sentrik detects *.csproj, *.sln, or *.cs files in your project.

Rules

The pack includes 18 rules:

Injection (3)

ID Category Severity Description
CS-SQL-001 SQL Injection critical Concatenation/interpolation in SqlCommand/CommandText
CS-SQL-002 SQL Injection critical Interpolated strings in EF Core FromSqlRaw/ExecuteSqlRaw
CS-CMD-001 Command Injection critical Concatenated input in Process.Start arguments

Deserialization & XML (3)

ID Category Severity Description
CS-DESER-001 Deserialization critical BinaryFormatter and related insecure formatters
CS-DESER-002 Deserialization high Newtonsoft TypeNameHandling other than None
CS-XXE-001 XXE high DTD processing or XmlUrlResolver on untrusted XML

Cryptography (4)

ID Category Severity Description
CS-CRYPTO-001 Hashing high MD5/SHA-1 usage
CS-CRYPTO-002 Encryption high DES/3DES/RC2 ciphers
CS-CRYPTO-003 Encryption high CipherMode.ECB
CS-CRYPTO-004 Randomness medium System.Random for tokens/salts/secrets

TLS, paths, and secrets (3)

ID Category Severity Description
CS-TLS-001 Certificate Validation critical Validation callbacks returning true / DangerousAcceptAnyServerCertificateValidator
CS-PATH-001 Path Traversal high File paths built from Request/Query/Form data
CS-SECRET-001 Secrets medium Hardcoded passwords/API keys/connection credentials

Web configuration (5)

ID Category Severity Description
CS-CFG-001 Configuration medium debug="true" compilation in web.config
CS-WEB-001 Input Validation high ASP.NET request validation disabled
CS-WEB-002 Cookies medium Cookies without Secure/HttpOnly
CS-WEB-003 CORS high AllowAnyOrigin combined with AllowCredentials
CS-WEB-004 JWT high Token validation checks disabled

Framework mapping

Rules carry OWASP Top 10 tags (owasp-a01 through owasp-a08) so findings roll up into OWASP compliance reports alongside the owasp-top-10 pack.

Tier

Team tier and above. See pricing.