-2

Fortify has tool has reported a "API Abuse - Mass Assignment: Insecure Binder Configuration" for below code I appreciate someone's help to identify the security flaws in the below code. The below code is used to create an Application session in global context, Do we have any other best approach to achieve the same session with OWASP standard

public class SessionKeys
{
    public const string AppHistory = "my_History ";       
}

public class AppSession : IAppSession
{
    public AppHistoryViewModel AppHistory 
    {
        get
        {
            AppHistoryViewModel appHistory  = null;

            if ((HttpContext.Current != null) && (HttpContext.Current.Session[SessionKeys.AppHistory] != null))
            {
                appHistory  = HttpContext.Current.Session[SessionKeys.AppHistory] as AppHistoryViewModel;
            }

            return appHistory;   
        }
        set
        {
            if (HttpContext.Current != null)
            {
                HttpContext.Current.Session[SessionKeys.AppHistory] = value;
            }
        }
    }
}

[UserProfileAuthorizationFilter(Order = 0)]
public class MyController : BaseController
{
    #region Setter Injection

    private IAppSession _appSession;

    public IAppSession AppSession
    {
        get { return _appSession ?? (_appSession = new AppSession()); }
        set
        {
            if (_appSession == null)
            {
                _appSession = value;
            }
        }
    }

    #endregion
}

Thank You!!

Sayeed Ahmed
  • 57
  • 9

1 Answers1

0

After removing setter property from AppHistoryViewModel it worked.

I removed below set of lines from the code and I can see no longer Vulnerability in sonarQube report

 set
        {
            if (HttpContext.Current != null)
            {
                HttpContext.Current.Session[SessionKeys.AppHistory] = value;
            }
        }
Sayeed Ahmed
  • 57
  • 9