To open pdf file in browser at client side I am using following server side C# code
context.Response.BinaryWrite(byteArray);
Now the problem is Veracode is giving XSS flaw(CWE ID 80) on this line.
Can anyone help me how to resolve this flaw?
Asked
Active
Viewed 2,017 times
1 Answers
0
That's an indicator that tainted data is landing in the response stream of the request. This means an attacker could potentially inject data into your Web Site (what we call XSS) or in this specific case your pdf file (different than XSS, but still an injection weakness). I would make sure there isn't a vector for an attacker to inject arbitrary data into your PDF file that could be used to compromise a consumer of that PDF document.
m0nty
- 101
- 2
- 5
-
But how to fix it? How would you go around this Veracode fail? How should code reflect it? – gene Sep 03 '15 at 18:44
-
@m0nty, how should this security vulnerability fixed? – Flying Dutchman Jan 29 '18 at 09:04
-
Sadly, the answer is "It depends." Without full source, there's no way to know. Generally speaking, you have to make sure the variable that's being written to the response stream comes from a trusted source that does not contain unsanitized user input. – m0nty Feb 05 '18 at 20:52