ASP.NET Web API - Veracode's CWE-201: Information Exposure Through Sent Data RRS feed

  • Question

  • User135423268 posted

    Good Day Everyone

    I have a method/function that is sending an email message to the user, but the problem is it's a low finding in Veracode Greenlight or in Veracode source code review, it's been a month since when i start looking for a solution on this, I've found out that if you have a HTML body and you are replacing it a data, it becomes a risk, but if its a plain html body without replacing any of the text, it's fine, does anyone has a solution on this? see my code below

                Dim objMailMsg As MailMessage = New MailMessage("noreply@test.com", "abm112019@gmail.com")
                Dim readFile As String = ""
                Dim tempFile As String = HttpContext.Current.Server.MapPath("~/HTML/EmailNotif1.html")
                Using strREader As StreamReader = New StreamReader(HostingEnvironment.MapPath("~/HTML/EmailNotif1.html"))
                    readFile = strREader.ReadToEnd
                    Dim myString As String = ""
                    myString = readFile
                    myString = myString.Replace("TransacID", GetTransactionID)
                    myString = myString.Replace("EmailMessage", GetMessage)
                    myString = myString.Replace("CreatedBy", GetName)
                    myString = myString.Replace("DateCreated", Date.Now)
                    Using objSMPTClient As SmtpClient = New SmtpClient
                        objMailMsg.BodyEncoding = Encoding.UTF8
                        objMailMsg.Subject = "Transaction Notification"
                        objMailMsg.Body = myString.ToString
                        objMailMsg.Priority = MailPriority.High
                        objMailMsg.IsBodyHtml = True
                        objSMPTClient.EnableSsl = False
                    End Using
                End Using

    Tuesday, December 17, 2019 2:30 AM

All replies

  • User409696431 posted

    From https://community.veracode.com/s/question/0D534000041BzqeCAC/information-exposure-through-sent-data-cwe-id-201

    "Great question, this flaw is concerned with sensitive information. The analysis engine sees the information originating from a sensitive source, and in your case it is most likely a config file. The recommendation is to review if the data is sensitive according to your companies security policies. If it is sensitive, then you should not include the information. If it is not sensitive, mark it as Mitigated by Design, and get the mitigation proposal approved by your security team." = Veracode employee

    And from: https://community.veracode.com/s/question/0D53400003zJoPDCA0/how-to-fix-information-exposure-through-send-data-flaw

    "For resolving the error in C# or any language, you will need to refer to the "Triage Flaws" view and flaw details in the Veracode Platform. The flaw details will identify what data is considered sensitive so that you may review it. If it is sensitive, do not include it in the request. If it is not sensitive, use a mitigation to document your reasoning. Please refer to the previous reply to see a more detailed explanation."

    You'll need to see which information you are sending is deemed sensitive (and why), and see if it really is.  If not, explain why and ignore the error.

    Tuesday, December 17, 2019 4:29 AM