Security IntelliSense Rule List

Rule - appsec_xml_doc_dtdprocessing_parse

Message
Do not use Parse option in System.Xml.DtdProcessing. DTD parsing can be exploited towards various DoS and elevation of privilege attacks.

Description
Do not use Parse option in System.Xml.DtdProcessing. DTD parsing can be exploited towards various DoS and elevation of privilege attacks.

Rule - appsec_xml_doc_resolver

Message
Use XmlResolver carefully in trusted document scenarios. Consider using XmlSecureResolver instead.

Description
Use XmlResolver carefully in trusted document scenarios. Consider using XmlSecureResolver instead.

Rule - appsec_xml_prohibitdtd_flag

Message
Do not set ProhibitDtd property to false. This may increase exposure to DoS and elevation of privilege attacks from DTD parsing.

Description
Do not set ProhibitDtd property to false. This may increase exposure to DoS and elevation of privilege attacks from DTD parsing.

Rule - authn_web_cookie_create_settings_1

Message
Set secure property to true wherever possible. Set HttpOnly to true wherever possible. Set shorter expiry time wherever possible.

Description
Set secure property to true wherever possible. Set HttpOnly to true wherever possible. Set shorter expiry time wherever possible.

Rule - authn_web_cookie_create_settings_2

Message
Set secure property to true wherever possible. Set HttpOnly to true wherever possible. Set shorter expiry time wherever possible.

Description
Set secure property to true wherever possible. Set HttpOnly to true wherever possible. Set shorter expiry time wherever possible.

Rule - authn_web_cookie_expiry

Message
Set cookie expiry to be as short as possible...especially if the cookie is being used for authenticated sessions.

Description
Long cookie expiry periods increase the exposure and exploitability of a cookie in the event that it gets stolen.

Rule - authn_web_cookie_httponly

Message
Set httponly to true to reduce risk of JavaScript accessing the cookies

Description
Set httponly to true to reduce risk of JavaScript accessing the cookies

Rule - authn_web_cookie_secure_flag

Message
Set secure to true to reduce risk of sending cookie over plain HTTP.

Description
Setting secure flag to true for a cookie ensures that the browser will never send it over a non-HTTPS connection. This protects the cookie from network layer disclosure.

Rule - authn_web_formsauthticket_timeout

Message
Mindful about the expiration time. Keep it short

Description
Mindful about the expiration time. Keep it short

Rule - authn_web_formsprotection_encryption

Message
FormsProtection should set to FormsProtectionEnum.All.

Description
FormsProtection should set to FormsProtectionEnum.All for adequately protecting cookies against various crypto attacks.

Rule - authn_web_formsprotection_none

Message
FormsProtection should set to FormsProtectionEnum.All.

Description
FormsProtection should set to FormsProtectionEnum.All for adequately protecting cookies against various crypto attacks.

Rule - authn_web_formsprotection_validation

Message
FormsProtection should set to FormsProtectionEnum.All.

Description
FormsProtection should set to FormsProtectionEnum.All for adequately protecting cookies against various crypto attacks.

Rule - azure_aad_authority_validation_turned_off

Message
Authority validation should not be disabled for AAD security tokens.

Description
Disabling authority validation implies that any well-formed token will get accepted regardless of which authority signed the token. This is rarely desirable. Do not explicitly set the validation to 'false' in the AuthenticationContext. The default value is 'true'.

Rule - azure_aad_avoid_custom_token_caching

Message
Custom token cache identified. Allow ADAL to transparently handle any caching needs for tokens.

Description
Do not use custom caches for ADAL tokens. The ADAL library uses a in-memory cache for the storage of tokens when no custom tokencache is provided explicitly to its AuthenticationContext constructor.

Rule - azure_aad_avoid_memberof

Message
The 'memberOf' method is not transitive, i.e. it doesn't return nested groups. As a result, it might lead to security bypass in certain cases.

Description
The 'memberOf' method is used for checking the group membership of a user. This method is not transitive, i.e. it doesn't return nested groups. As a result, it might lead to security bypass in certain cases. Review if the group membership verification logic in the code would work as intended even when the memberOf method is used. However, it is always recommended to use other API methods listed here: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations for checking the group membership.

Rule - azure_adal_avoid_accesstoken_in_code

Message
Explicit usage of accesstoken found in the code: access tokens should be handled securely. It is recommended not to store it separately in a persistent storage like databases or files, unless there is a compelling requirement.

Description
It is recommended to use ADAL library for acquiring the tokens as it saves them securely in an internal in-memory cache in its default configuration.

Rule - azure_adal_avoid_refreshtoken_in_code

Message
Explicit usage of refreshtoken found in the code: refresh tokens should be handled securely. It is recommended not to store it separately in a persistent storage like database and files, unless there is a compelling requirement.

Description
It is recommended to use ADAL library for acquiring the tokens as it saves them securely in a internal in-memory cache in its default configuration

Rule - azure_sbr_no_client_authentication

Message
It is unsafe to use 'RelayClientAuthenticationType.None' as it allows clients to connect to the relay without authentication. Use RelayClientAuthenticationType.RelayAccessToken.

Description
When using a service bus relays, clients have to authenticate to the relay in order to use it to connect to the on-premise endpoint. If 'None' is used for RelayClientAuthenticationType, it means any client (without credentials) can connect to the relay and attempt to reach the on-premise service.

Rule - azure_storage_blob_public_access

Message
The chosen setting for BlobContainerPublicAccessType will allow 'public' access of blobs within this container (without requiring an access token). This should be carefully evaluated in the context of the scenario.

Description
The chosen setting for BlobContainerPublicAccessType will allow 'public' access of blobs within this container (without requiring an access token). It is recommended to use BlobContainerPublicAccessType.Off unless it absolutely required. Creation of containers with unrestricted access should be carefully evaluated in the context of the scenario.

Rule - azure_storage_container_public_access

Message
The chosen setting for BlobContainerPublicAccessType will allow 'public' access of blobs within this container (without requiring an access token). This should be carefully evaluated in the context of the scenario.

Description
The chosen setting for BlobContainerPublicAccessType will allow 'public' access of blobs within this container (without requiring an access token). It is recommended to use BlobContainerPublicAccessType.Off unless it absolutely required. Creation of containers with unrestricted access should be carefully evaluated in the context of the scenario.

Rule - azure_storage_sas_use_https

Message
The 'HttpsOrHttp' option is insecure as it allows use of Http (plaintext) for content request and transfer. Use SharedAccessProtocol.HttpsOnly.

Description
Use of 'HttpsOrHttp' implies that both the request content and any headers (including SAS tokens) will get transferred over plaintext. Instead use SharedAccessProtocol.HttpsOnly to ensure the transfer is encrypted.

Rule - azure_storage_sastoken_validity_too_long

Message
Use shortest possible token lifetime appropriate for the scenario. See AAD default token expiration times here.

Description
It is recommended to set appropriate and short lifetime for tokens. Typically access tokens should have a validity period of a few hours (ideally kept as small as practical).

Rule - crypto_certs_weak_hmac

Message
The X509Certificate2 class does not support SHA256-based signatures.

Description
The X509Certificate2 class supports SHA1-based signature algorithms. These are considered weak and inadequate. Consider using RsaCryptoServiceProvider as that supports SHA-256-based signatures.

Rule - crypto_dpapi_avoid_localmachine_flag

Message
Use DataProtectionScope.CurrentUser. LocalMachine will open gates to all the processes running on the computer to unprotect the data.

Description
Use DataProtectionScope.CurrentUser. LocalMachine will open gates to all the processes running on the computer to unprotect the data.

Rule - crypto_enc_aes_weak_keysize

Message
Encryption key size used for AES must be large enough.

Description
When using AES encryption, key sizes used should be at least 256 bits. Use of 128 bits is currently allowed but only in backward compatibility scenarios.

Rule - crypto_enc_avoid_padding_mode_ansix923

Message
Try to use PKCS7 with AES wherever possible.

Description
Use the PKCS7 padding mode with AES wherever possible. Other padding modes may lead to subtle crypto vulnerabilities.

Rule - crypto_enc_avoid_padding_mode_iso10126

Message
Try to use PKCS7 with AES wherever possible.

Description
Use the PKCS7 padding mode with AES wherever possible. Other padding modes may lead to subtle crypto vulnerabilities.

Rule - crypto_enc_avoid_padding_mode_none

Message
Try to use PKCS7 with AES wherever possible.

Description
Use the PKCS7 padding mode with AES wherever possible. Other padding modes may lead to subtle crypto vulnerabilities.

Rule - crypto_enc_avoid_padding_mode_zeros

Message
Try to use PKCS7 with AES wherever possible.

Description
Use the PKCS7 padding mode with AES wherever possible. Other padding modes may lead to subtle crypto vulnerabilities.

Rule - crypto_enc_ciphermode_ecb

Message
Do not use ECB mode for symmetric encryption.

Description
The ECB mode is prone to various crypto attacks. Use a stronger mode such as CBC instead.

Rule - crypto_enc_unapproved_alg_rijndael

Message
RijndaelManaged class is not approved for use for symmetric encryption

Description
The RijndaelManaged class supports algorithm modes which are not FIPS approved. It has also been found weak against certain attacks. Use AesCryptoServiceProvider instead.

Rule - crypto_hash_weak_alg_md5

Message
The MD5 hash algorithm is weak and must not be used.

Description
The MD5 hash algorithm has been broken and many practical attacks have been found in scenarios using it. Use SHA256CryptoServiceProvider instead.

Rule - crypto_hash_weak_alg_sha1

Message
The SHA1 hash algorithm is weak and must not be used.

Description
The SHA1 hash algorithm has been broken and many practical attacks have been found in scenarios using it. Use SHA256CryptoServiceProvider instead.

Rule - crypto_pki_rsa_keysize

Message
Use a keysize of 2048 bits or more for RSA.

Description
Using keys of size less than 2048 is not recommended for RSA. Crypto using small key sizes increases risk of getting compromised.

Rule - crypto_rng_weak_rng

Message
The Random class is a cryptographically weak random number generator.

Description
When used in the context of crypto, random number generators should be cryptographically secure. The class Random does not meet the requirements and should not be used. Consider using RNGCryptoServiceProvider instead.