Rebase-triage-efforts

[cx-sean-casey]

No description provided.

[cx-sean-casey]

Checkmarx One – Scan Summary & Details – f2caaff2-fd43-40cf-9e46-c068589cfa0b

New Issues (5)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	Stored_XSS	/WebGoat/Content/StoredXSS.aspx.cs: 49	details The method LoadComments embeds untrusted data in generated output with Text, at line 52 of /WebGoat/Content/StoredXSS.aspx.cs. This untrusted data ... Attack Vector
	Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
	Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
	Missing_HSTS_Header	/WebGoat/Resources/Master-Pages/Site.Master: 28	details The web-application does not define an HSTS header, leaving it vulnerable to attack. Attack Vector
	Unpinned Actions Full Length Commit SHA	/main.yml: 29	details Pinning an action to a full length commit SHA is currently the only way to use an action as an immutable release. Pinning to a particular SHA helps...

Fixed Issues (130)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	SQL_Injection	/WebGoat/WebGoatCoins/ForgotPassword.aspx.cs: 67
	SQL_Injection	/WebGoat/Content/ForgotPassword.aspx.cs: 66
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266
	Stored_XSS	/WebGoat/App_Code/DB/SqliteDbProvider.cs: 258
	Stored_XSS	/WebGoat/App_Code/DB/MySqlDbProvider.cs: 266

More results are available on the CxOne platform

Policy Management Violations (1)

Policy Name: test3

• Rule Name: no highs
  Scanner: SAST
  Entity: Vulnerability
  Conditions(s): High > 1

  Severity	Issue	Source File / Package	Checkmarx Insight
  	HttpOnly_Cookie_Flag_Not_Set_In_Config	/WebGoat/Web.config: 45	details The /WebGoat/Web.config application configuration file, at line 45, does not define sensitive application cookies with the "httpOnly" flag, which c... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/ProductDetails.aspx: 19	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 19 of /WebGoat/WebGoatCoins/ProductDetails.aspx. This ... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/CustomerLogin.aspx: 9	details The method Checkmarx_Container embeds untrusted data in generated output with Write, at line 9 of /WebGoat/WebGoatCoins/CustomerLogin.aspx. This un... Attack Vector
  	Reflected_XSS	/WebGoat/Content/SQLInjectionDiscovery.aspx.cs: 27	details The method btnFind_Click embeds untrusted data in generated output with Text, at line 30 of /WebGoat/Content/SQLInjectionDiscovery.aspx.cs. This un... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 62	details The method Page_Load embeds untrusted data in generated output with Text, at line 83 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This untrusted data i... Attack Vector
  	Reflected_XSS	/WebGoat/Content/PathManipulation.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 43 of /WebGoat/Content/PathManipulation.aspx.cs. This untrusted d... Attack Vector
  	Reflected_XSS	/WebGoat/Content/ReflectedXSS.aspx.cs: 20	details The method LoadCity embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/ReflectedXSS.aspx.cs. This untrusted data i... Attack Vector
  	Reflected_XSS	/WebGoat/Content/HeaderInjection.aspx.cs: 33	details The method Page_Load embeds untrusted data in generated output with Text, at line 33 of /WebGoat/Content/HeaderInjection.aspx.cs. This untrusted da... Attack Vector
  	Reflected_XSS	/WebGoat/WebGoatCoins/Orders.aspx.cs: 114	details The method GridView1_RowDataBound embeds untrusted data in generated output with Text, at line 114 of /WebGoat/WebGoatCoins/Orders.aspx.cs. This un... Attack Vector
  	Reflected_XSS	/WebGoat/Content/UploadPathManipulation.aspx.cs: 26	details The method btnUpload_Click embeds untrusted data in generated output with Text, at line 26 of /WebGoat/Content/UploadPathManipulation.aspx.cs. This... Attack Vector
  	XPath_Injection	/WebGoat/Content/XPathInjection.aspx.cs: 20	details The application's FindSalesPerson method constructs an XPath query, for navigating an XML document. The XPath query is created with BinaryExpr, at ... Attack Vector