4

While running the veracode scan, a vulnerability has been thrown for the below line:

Page.Response.BinaryWrite(stream.GetBuffer());

Where, stream is an object of System.IO.MemoryStream.

I have tried the below line of code

Page.Response.BinaryWrite(Encoding.ASCII.GetBytes(HttpUtility.HtmlEncode(stream.GetBuffer())))

But, the same issue appears again in the scan.

Some details of the scan error:

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE ID 80)

Jubin Justifies
  • 397
  • 4
  • 12
HarshSharma
  • 630
  • 3
  • 9
  • 34
  • Have you tried to check this [thread](https://stackoverflow.com/questions/21912509/how-to-fix-improper-neutralization-of-script-related-html-tags-in-a-web-page-ba) and encode or escape the response? – Pavel Anikhouski Dec 04 '19 at 09:24
  • 2
    The weakness description is pretty clear _The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages._ (from [here](https://infosec.cert-pa.it/cwe-80.html)) – Pavel Anikhouski Dec 04 '19 at 09:28
  • Have you seen this https://stackoverflow.com/questions/21912509/how-to-fix-improper-neutralization-of-script-related-html-tags-in-a-web-page-ba ? – Basil Kosovan Dec 05 '19 at 20:16
  • Ok, let's zoom out, you are trying to respond some stream from .... to ... where? What kind of app? MVC, webforms? I have a feeling you just forgot to set some header or are responding some file the wrong way. – ikwillem Dec 08 '19 at 22:26

0 Answers0