Veracode provides automated static and dynamic application security testing software and remediation services
Questions tagged [veracode]
273 questions
19
votes
4 answers
How to configure the XML parser to disable external entity resolution in c#
var xDoc = XDocument.Load(fileName);
I am using above code in a function to load an XML file. Functionality wise its working fine but it is showing following Veracode Flaw after Veracode check.
Description
The product processes an XML document…
![](../../users/profiles/4523305.webp)
MANISH KUMAR CHOUDHARY
- 3,144
- 2
- 20
- 30
13
votes
5 answers
How to fix Veracode CWE 117 (Improper Output Neutralization for Logs)
There is an Spring global @ExceptionHandler(Exception.class) method which logs exception like that:
@ExceptionHandler(Exception.class)
void handleException(Exception ex) {
logger.error("Simple error message", ex);
...
Veracode scan says that…
![](../../users/profiles/2698960.webp)
Vitaliy Borisok
- 626
- 2
- 9
- 20
9
votes
0 answers
Insufficient Entropy from Veracode when generating random words using java.security.SecureRandom
I have created a class that generates random words (Alphanumerical) using org.apache.commons.lang.RandomStringUtils.
public String randomWord(int wordLength) {
return RandomStringUtils.random(wordLength, 0, 0, true, true, null, new…
![](../../users/profiles/5087167.webp)
D.PETIT
- 151
- 1
- 3
8
votes
1 answer
How to prevent XML eXternal Entity (XXE) attack during .net deserialization
We are doing security analysis of our code using veracode and its showing XXE flaw for below code, specifically where Deserialize() is invoked. How can we prevent serializer from accessing external entities. My attempt below to set XMLresolver to…
![](../../users/profiles/5837579.webp)
user5837579
- 81
- 1
- 2
7
votes
1 answer
XXE: Improper Restriction of XML External Entity Reference With XDocument
So I am running into an issue when I run a security scan on my application. It turns out that I am failing to protect against XXE.
Here is a short snippet showing the offending code:
static void Main()
{
string inp =…
![](../../users/profiles/2078959.webp)
Bitz
- 990
- 7
- 26
7
votes
2 answers
Veracode XML External Entity Reference (XXE)
I've got the next finding in my veracode report:
Improper Restriction of XML External Entity Reference ('XXE') (CWE ID 611)
referring the next code bellow
...
DocumentBuilderFactory dbf=null;
DocumentBuilder db = null;
try { …
![](../../users/profiles/4874052.webp)
Jose Miguel
- 295
- 2
- 3
- 17
7
votes
2 answers
"Untrusted initialization" flaw - while creating SQL Connection
I have done the following...
private static IDbConnectionProvider CreateSqlConnectionProvider(DbConfig dbConfig)
{
return new QcDbConnectionProvider(() =>
{
SqlConnectionStringBuilder csBuilder = new…
![](../../users/profiles/3747770.webp)
NJMR
- 1,710
- 1
- 21
- 38
7
votes
1 answer
Veracode, Debug Symbols, and XCode
I'm attempting to have an iOS application scanned by Veracode: an application security platform. In order for them to scan an .IPA, the .IPA needs to contain debug symbols.
For the Archive build-configuration and project/target being used, I've…
![](../../users/profiles/491066.webp)
paiego
- 3,270
- 28
- 37
6
votes
2 answers
Unable to rectify VeraCode CWE ID 918 - (SSRF) in ASP.NET
Long story short, no matter what I try VeraCode continues to flag 8 lines of my code as flaws with CWE 918. This is old code so I'm not sure why it's suddenly being flagged.
Here's an example [offending] method with the flagged line in bold
public…
![](../../users/profiles/796174.webp)
Sirentec
- 744
- 9
- 18
6
votes
1 answer
CWE-ID 100 Fix for MVC5
Our application is being dinged several hundred times CWE-ID 100 "flaws" related to Technology-Specific Input Validation Problems according to Veracode.
According to their docs, the remediation is to check the ModelState.IsValid property on a model…
![](../../users/profiles/1729859.webp)
mituw16
- 4,934
- 2
- 18
- 40
6
votes
2 answers
Handle cross site scripting flaw raised by veracode
We have a legacy web application in ASP.Net and C#, for which we are getting around 400 plus cross site scripting flaw raised by Veracode scan.
I have created a sample web application and simulated the issue, and found that whenever we are using any…
![](../../users/profiles/1109523.webp)
Alok
- 266
- 1
- 13
6
votes
2 answers
Veracode Insecure Temporary File error when using java.io.File.createTempFile
I need to create a temporary file and store some data into it. I have written the following code to do so:
import org.apache.commons.lang.RandomStringUtils;
import java.security.SecureRandom;
[...]
String random = RandomStringUtils.random(10, 0,…
![](../../users/profiles/5087167.webp)
D.PETIT
- 151
- 1
- 3
6
votes
6 answers
How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"
After running VeraCode, it reported a following error "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')" in the following code fragment:
protected override void InitializeCulture() {
//If true then setup…
![](../../users/profiles/2918237.webp)
piterskiy
- 147
- 1
- 4
- 14
5
votes
2 answers
How to neutralize of CRLF Sequences in HTTP Headers
I have gone through this link.
[How to fix "Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')"
But it does not give me the solution.
My code is also giving the error "Improper Neutralization of CRLF Sequences in…
![](../../users/profiles/1551597.webp)
koushik
- 103
- 1
- 8
4
votes
0 answers
Veracode Scan XSS issue for Response.BinaryWrite() method
While running the veracode scan, a vulnerability has been thrown for the below line:
Page.Response.BinaryWrite(stream.GetBuffer());
Where, stream is an object of System.IO.MemoryStream.
I have tried the below line of…
![](../../users/profiles/3139294.webp)
HarshSharma
- 590
- 3
- 6
- 30