C Sharp Unvalidated Output In Response
Description
Detects when web applications write unvalidated data to HTTP responses through dangerous methods like AddHeader and Write. This vulnerability could allow attackers to manipulate response headers or inject malicious content, potentially leading to Header Injection or Cross-Site Scripting (XSS) attacks.
Detection Strategy
• Identifies calls to dangerous response manipulation methods like 'AddHeader' and 'Write' in C# code
• Checks if the data being written to the response comes from untrusted sources without proper validation
• Reports a vulnerability when unvalidated user input or external data is directly written to HTTP responses through these dangerous methods
• Examines the data flow to ensure the detected usage is actually unsafe (not just any call to these methods)
Vulnerable code example
using System.Web;
using System.Net.Sockets;
using System.IO;
public class VulnerableController
{
public void ProcessRequest(HttpRequest req, HttpResponse res)
{...✅ Secure code example
using System;
using System.Web;
using System.Net.Sockets;
using System.IO;
using System.Web.UI;
public class SecureController
{...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.