Triage5 by cx-sean-casey · Pull Request #3 · cx-sean-casey/WebGoat.NET

cx-sean-casey · 2025-02-26T17:15:07Z

test

cx-sean-casey · 2025-02-26T17:16:22Z

Checkmarx One – Scan Summary & Details – 1b250a3d-76f5-4929-a8ed-1f02809f1ae8

New Issues (4)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
Missing_HSTS_Header	/WebGoat/Resources/Master-Pages/Site.Master: 28	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
Unpinned Actions Full Length Commit SHA	/main.yml: 29	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues (95)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 1
	~~Reflected_XSS_All_Clients~~	/WebGoat/WebGoatCoins/ProductDetails.aspx: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Missing_HSTS_Header~~	/WebGoat/Resources/Master-Pages/Site.Master: 1
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 127
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 123
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 116
	~~Password_In_Comment~~	/WebGoat/Code/SQLiteMembershipProvider.cs: 112
	~~Unpinned Actions Full Length Commit SHA~~	/main.yml: 28

Policy Management Violations (1)

Policy Name: test3

Rule Name: no highs
Scanner: SAST
Entity: Vulnerability
Conditions(s): High > 1

Issue	Source File / Package	Checkmarx Insight
HttpOnly_Cookie_Flag_Not_Set_In_Config	/WebGoat/Web.config: 45	details The /WebGoat/Web.config application configuration file, at line 45, does not define sensitive application cookies with the "httpOnly" flag, which c... Attack Vector
Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
Reflected_XSS	/WebGoat/Content/UploadPathManipulation.aspx.cs: 26	details The method btnUpload_Click embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/UploadPathManipulation.aspx.cs. This... Attack Vector
Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 114	details The method GridView1_RowDataBound embeds untrusted data in generated output with Text, at line 114 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This un... Attack Vector
Reflected_XSS	/WebGoat/Content/HeaderInjection.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 33 of /WebGoat/Content/HeaderInjection.aspx.cs. This untrusted da... Attack Vector
Reflected_XSS	/WebGoat/Content/ReflectedXSS.aspx.cs: 20	details The method LoadCity embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/ReflectedXSS.aspx.cs. This untrusted data i... Attack Vector
Reflected_XSS	/WebGoat/Content/PathManipulation.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 43 of /WebGoat/Content/PathManipulation.aspx.cs. This untrusted d... Attack Vector
Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 62	details The method Page_Load embeds untrusted data in generated output with Text, at line 83 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This untrusted data i... Attack Vector
Reflected_XSS	/WebGoat/Content/SQLInjectionDiscovery.aspx.cs: 27	details The method btnFind_Click embeds untrusted data in generated output with Text, at line 30 of /WebGoat/Content/SQLInjectionDiscovery.aspx.cs. This un... Attack Vector
XPath_Injection	/WebGoat/Content/XPathInjection.aspx.cs: 20	details The application's FindSalesPerson method constructs an XPath query, for navigating an XML document. The XPath query is created with BinaryExpr, at ... Attack Vector

cx-sean-casey added 2 commits February 26, 2025 11:56

add Dockerfile

3cc7ac3

triage5

ad2b3a8

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Triage5#3

Triage5#3
cx-sean-casey wants to merge 2 commits intomasterfrom
triage5

cx-sean-casey commented Feb 26, 2025

Uh oh!

cx-sean-casey commented Feb 26, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

cx-sean-casey commented Feb 26, 2025

Uh oh!

cx-sean-casey commented Feb 26, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

cx-sean-casey commented Feb 26, 2025 •

edited

Loading