Fortify - Trust Boundary Violation - ASP.Net Web Forms - Text-Box Form Fields
Question
My project has 113 Trust Boundary Violations. Each violation is for any value stored to a session value. The values stored in the session are actually objects with several properties. So, each time a value is assigned to a property that is a violation. I can consider the values that are numbers as trusted since they are strongly typed as numbers. But, the strings that are coming from text-box form fields are confusing me. I do have ASP.Net Request Validation enabled.
The recommendation from Fortify says, "The untrusted data should be built up in a single untrusted data structure, validated, and then moved into a trusted location."
Does any further action need to be taken on the strings being set from text-box form fields in order for those values to be "validated"? Or, is the ASP.Net Request Validation sufficient?
1 answers
solution1
0 ACCPTED 2019-04-23 11:37:03
I think the ASP.Net Request Validation is sufficient. When you mark it as false positive, the AI engine will learn it.
At the same time, I don't think it is a good practice to store several properties on session values.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.