Stack Overflow
Stack Overflow

Questions tagged [secure-coding]

Topics related to coding patterns and best practices for avoiding common bugs and security holes.

Failure to adhere to secure coding practices may result in various classes of vulnerabilities such as buffer overflows, integer overflow or wraparound, command-injection, improper sanitation of data, and more. Requirements and best practices for secure coding will differ across programming languages. Manual code reviews and automated evaluation using tools for static or dynamic code analysis can help improve code quality and promote more secure coding.

211 questions
2
votes
2 answers

How to fix Reflected XSS vulnerability in my node.js application

I am writing the backend of an application using express in node.js. Checkmarx highlights this issue: Improper Neutralization of Input During Web Page Generation The line of code highlighted: const token = req.params.company2tftoken; What can I do…
Light71192
  • 65
  • 1
  • 7
2
votes
1 answer

Default Definer Rights in Method Definition

In Checkmarx report, I'm getting the below: Default Definer Rights in Method Definition. It has highlighted a case statement(shown beow) case when v_risk='RISK' then 'Y' else 'N' Please let me know what the issue is and what needs to be done to…
Natty
  • 141
  • 1
  • 2
  • 14
2
votes
0 answers

CERT-like Secure Coding standards for C#

I am still fairly new to the C# world compared to my experience with C++ and I am currently wondering, if there is anything on secure coding rules / best practices / coding guidelines for C# apart from the very short list provided by Microsoft here:…
Mr.Infredible
  • 123
  • 6
2
votes
1 answer

Page_load method may leak server-side conditional values, enabling user tracking from another website

I am getting Cross Site History Manipulation issue on a Checkmarx scan of my solution. The issue I am getting is: Method Page_Load at line 40 of xyz\abc.aspx.cs may leak server-side conditional values, enabling user tracking from another website.…
Priyanka
  • 23
  • 8
2
votes
1 answer

How to avoid command injection in node child_process exec

I am opening IE browser in(via) my electron application using Node child_process. Code below: var cp = require('child_process'); var browser = cp.exec('start', 'iexplore', ['-private', args.url]); This is raising command injection warning…
Sachet Gupta
  • 822
  • 5
  • 18
2
votes
1 answer

How to Fix Checkmarx Stored XSS issue from a getResultList element

In Java, in the line below: TypedQuery query=entityManger.createQuery(queryString, clazz); List result =query.getResultList(); It is saying that the variable result needs to be properly filtered or encoded otherwise it may enable a…
Nitesh
  • 31
  • 1
  • 1
  • 5
2
votes
1 answer

How to fix checkmarx Trust Boundary Violation

I persist a value from user input request. Checkmarx complains there is Trust Boundary Violation. gets user input from element request. This element’s value flows through the code without being properly sanitized or validated and is eventually…
Yao Dong
  • 113
  • 1
  • 3
  • 11
2
votes
0 answers

Java Trust Boundary Violation in checkmarx

I'm getting some issues with checkmarx Trust Boundary Violation. I have a method that generates word of .PDF document from .DOCX template. I’m sending template id and parameter list with their values as arguments for method. I have already tried…
Kiki
  • 2,243
  • 5
  • 30
  • 43
2
votes
1 answer

Log forging in checkmarx scan in java

Log forging in checkmarx scan in Java How to resolve log forging for Java in a checkmarx scan. I tried sanitizing input before putting in the log file. But, it still complains validate or sanitize the input before logging. Please help me to resolve…
gautham
  • 87
  • 2
  • 12
2
votes
1 answer

SQL injection in an ALTER statement

Apologies if this is a duplicate. Let's say you have a Java app which has a query which can unlock/reset passwords for users like: "ALTER USER " + iD_Of_User.toUpperCase() + " IDENTIFIED BY " + password_Of_User + " ACCOUNT UNLOCK" Where iD_Of_User…
Garret
  • 29
  • 2
2
votes
1 answer

Auto Sign-In to Power BI through code so as the report is visible in 'Secure Embed Code'

Issue: On several ios devices, after clicking on 'Sign-In' button within the iframe(having src as Power BI report 'Secure Embed Code'), a new window opens to sign in to Power BI and after successful sign in, the window closes. However, iframe does…
Sakshi Gupta
  • 35
  • 1
  • 5
2
votes
1 answer

checkmarx Client_Reflected_File_Download

Checkmarx has detected a security vulnerability in the code: Cross-domain jsonp ajax call not XSS safe. The suggestion given as: An explicit file name is not defined for the Content-Disposition header. Filename attribute is required in order to…
Vaibhav
  • 19
  • 1
  • 7
2
votes
2 answers

Cross Site History Manipulation(Checkmarx)

Does anyone know how to fix the Checkmarx vulnerability -- Cross Site History Manipulation for java based applcations? Here is the description provided by Checkmarx scan -- "the method may leak server-side conditional values, enabling user tracking…
apandey
  • 85
  • 1
  • 4
  • 13
2
votes
2 answers

strncpy replacement in gcc arm

Does strncpy() not have proper equivalent in arm which will take both destination size and number of source characters to be copied, strlcpy(char * /*dst*/, const char * /*src*/, size_t /*len*/); so here we have to just use strlcpy() and hope…
Himanshu Sourav
  • 700
  • 1
  • 10
  • 35
2
votes
2 answers

Integer Operation Without Overflow Check

Hi I just ran a static code analysis on my code and I keep getting the error "Integer Operation Without Overflow Check" Can someone help me resolve this or tell me what it means exactly. I have already tried to using the check keywords to fix…
Jordan Ardakanian
  • 79
  • 2
  • 6
1 2 3
14 15