5

The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability

By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently configured to persistent session state information, which both expands capacity and permits the replication across multiple machines to improve overall performance. In order to persist its session state, the server must serialize the HttpSessionState object, which requires that all objects stored in it be serializable.

Why is it showing that as a vulnerability, and how do I fix it?

Mohanraj R
  • 51
  • 1
  • 4

2 Answers2

1

Mohanraj, maybe you've already found the solution, but below are a plausible explanation:

There are some false positive that HP Fortify indicates, and that is the why you need to analyze case by case on every vulnerability it indicates you, and that's the why it have a classification list for you analyze if the vulnerability found is a real threat or a false positive.

In this particular case, to heal the vulnerability you just need to decorate the class you are trying to transport / send to Session as [Serializable], which is higly recommendable when using session to store data inside your application.

Check on this article by Piet Obermeyer and Jonathan Hawkins which explains better the use of Serialization.

Hope this helps.

Elek Guidolin
  • 487
  • 1
  • 8
  • 21
  • HttpContext.Current.Session["PageName"] = "This Page"; How do I mark string as Serializable? i've passed by String pageName = "This Page"; HttpContext.Current.Session["PageName"] = pageName; as well. It won't let me use a string without the high vulerability reported. It is my belief that strings should be serializable. – stephenbayer Sep 23 '19 at 21:46
0

I think Fortify misinterprets set_accessor_declaration in C#. The finding looks like Fortify could not link the type of the value keyword to the type of the property.

https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/classes#accessors

Attempting to interpret the finding as if the Session property itself needs a Serializable attribute seems misdirected. A how-to article on different serialization modes in ASP.NET tells me that session serialization applies to the Session property's contents rather than the property as a whole.

https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net

eel ghEEz
  • 1,186
  • 11
  • 24