stackoom
  简体   繁体   中英

HP Fortify : ASP.NET Bad Practices: Non-Serializable Object Stored in Session

 原文  2016-06-17 03:06:29       asp.net/ c#-4.0/ fortify/ fortify-source/ ggfortify

Question

The method set_UserActiveEnvironments() in HttpContextHelper.cs stores a non-serializable object as an HttpSessionState attribute on line 47, which can damage application reliability

By default, ASP.NET servers store the HttpSessionState object, its attributes and any objects they reference in memory. This model limits active session state to what can be accommodated by the system memory of a single machine. In order to expand capacity beyond these limitations, servers are frequently configured to persistent session state information, which both expands capacity and permits the replication across multiple machines to improve overall performance. In order to persist its session state, the server must serialize the HttpSessionState object, which requires that all objects stored in it be serializable.

Why is it showing that as a vulnerability, and how do I fix it?

2 answers

solution1
 1  2017-02-08 18:03:31

Mohanraj, maybe you've already found the solution, but below are a plausible explanation:

There are some false positive that HP Fortify indicates, and that is the why you need to analyze case by case on every vulnerability it indicates you, and that's the why it have a classification list for you analyze if the vulnerability found is a real threat or a false positive.

In this particular case, to heal the vulnerability you just need to decorate the class you are trying to transport / send to Session as [Serializable], which is higly recommendable when using session to store data inside your application.

Check on this article by Piet Obermeyer and Jonathan Hawkins which explains better the use of Serialization.

Hope this helps.

solution2
 0  2018-03-16 15:44:26

I think Fortify misinterprets set_accessor_declaration in C#. The finding looks like Fortify could not link the type of the value keyword to the type of the property.

https://docs.microsoft.com/en-us/dotnet/csharp/language-reference/language-specification/classes#accessors

Attempting to interpret the finding as if the Session property itself needs a Serializable attribute seems misdirected. A how-to article on different serialization modes in ASP.NET tells me that session serialization applies to the Session property's contents rather than the property as a whole.

https://www.codeproject.com/Articles/32545/Exploring-Session-in-ASP-Net

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Fortify :Non-Serializable Object Stored in Session How to find out size of ASP.NET session, when there are non-serializable objects in it? HP Fortify - Dead Code stored in Asp.net Temp Files HP Fortify ASP.Net Web Forms How to to keep non-serializable objects during ASP.Net web service reinstall? bad idea to store DataTable object in asp.net session Concurrent ASP.NET session best practices ASP.NET Session State Server: Stored Object is NULL Are properties within a Serializable class automatically serialized when inserted on Session object in ASP.NET? ASP.NET MVC Bad Practices: Optional Submodel With Required Property
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM