triage sql injection

[cx-sean-casey]

No description provided.

[cx-sean-casey]

Checkmarx One – Scan Summary & Details – 5798ec48-4b0d-4d86-bb53-83f028f23e89

New Issues (3)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
	Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
	Missing_HSTS_Header	/WebGoat/Resources/Master-Pages/Site.Master: 28	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector

Fixed Issues (218)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 357

More results are available on the CxOne platform

Policy Management Violations (1)

Policy Name: test3

• Rule Name: no highs
  Scanner: SAST
  Entity: Vulnerability
  Conditions(s): High > 1

  Severity	Issue	Source File / Package	Checkmarx Insight
  	HttpOnly_Cookie_Flag_Not_Set_In_Config	/WebGoat/Web.config: 45	details The /WebGoat/Web.config application configuration file, at line 45, does not define sensitive application cookies with the "httpOnly" flag, which c... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
  	Reflected_XSS	/WebGoat/Content/UploadPathManipulation.aspx.cs: 26	details The method btnUpload_Click embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/UploadPathManipulation.aspx.cs. This... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 114	details The method GridView1_RowDataBound embeds untrusted data in generated output with Text, at line 114 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This un... Attack Vector
  	Reflected_XSS	/WebGoat/Content/HeaderInjection.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 33 of /WebGoat/Content/HeaderInjection.aspx.cs. This untrusted da... Attack Vector
  	Reflected_XSS	/WebGoat/Content/ReflectedXSS.aspx.cs: 20	details The method LoadCity embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/ReflectedXSS.aspx.cs. This untrusted data i... Attack Vector
  	Reflected_XSS	/WebGoat/Content/PathManipulation.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 43 of /WebGoat/Content/PathManipulation.aspx.cs. This untrusted d... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 62	details The method Page_Load embeds untrusted data in generated output with Text, at line 83 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This untrusted data i... Attack Vector
  	Reflected_XSS	/WebGoat/Content/SQLInjectionDiscovery.aspx.cs: 27	details The method btnFind_Click embeds untrusted data in generated output with Text, at line 30 of /WebGoat/Content/SQLInjectionDiscovery.aspx.cs. This un... Attack Vector
  	XPath_Injection	/WebGoat/Content/XPathInjection.aspx.cs: 20	details The application's FindSalesPerson method constructs an XPath query, for navigating an XML document. The XPath query is created with BinaryExpr, at ... Attack Vector