Vulnerability Scanner
Identify and fix security vulnerabilities.
OWASP Top 10
| Risk | Prevention |
|---|---|
| Injection | Parameterized queries |
| Broken Auth | Secure session management |
| Sensitive Data | Encryption, HTTPS |
| XXE | Disable external entities |
| Broken Access | RBAC, validate permissions |
| Security Misconfig | Security headers |
| XSS | Output encoding |
| Insecure Deserialization | Input validation |
| Vulnerable Components | Update dependencies |
| Insufficient Logging | Audit logs |
Security Checklist
Authentication
- • Passwords hashed (bcrypt/argon2)
- • Session tokens secure
- • Token expiration set
- • Brute force protection
Authorization
- • RBAC implemented
- • Resource-level checks
- • API endpoints protected
Data
- • HTTPS enforced
- • Sensitive data encrypted
- • No secrets in code
- • Input validated
Code Patterns to Avoid
csharp
// ❌ SQL Injection
$"SELECT * FROM Users WHERE Email = '{email}'"
// ✅ Parameterized
"SELECT * FROM Users WHERE Email = @Email"
csharp
// ❌ Hardcoded secret var secret = "my-secret-key"; // ✅ KeyVault var secret = Configuration["SecretKey"];
Security Headers
csharp
// Add security headers
app.Use(async (context, next) =>
{
context.Response.Headers.Add("X-Content-Type-Options", "nosniff");
context.Response.Headers.Add("X-Frame-Options", "DENY");
context.Response.Headers.Add("X-XSS-Protection", "1; mode=block");
await next();
});
Dependency Scanning
bash
# .NET dotnet list package --vulnerable # npm npm audit
DO / DON'T
| ✅ Do | ❌ Don't |
|---|---|
| Validate all input | Trust user data |
| Use KeyVault | Hardcode secrets |
| Hash passwords | Store plain text |
| Update dependencies | Ignore vulnerabilities |