Skip to main content
Skip table of contents

C#

This article covers C# support and vulnerability detection for Mend SAST.

Mend SAST-supported C# file types

**Note: These extensions are marked as ‘Secondary’ file extensions.
They will only be scanned if at least one file with any of the other ‘Primary’ file extensions is present to identify the language as the relevant language.

File Type

Generation 1

Generation 2

.aspx

.ascx**

.cs

.cshtm**

.cshtml**

.master**

.razor

Mend SAST-supported C# frameworks

Framework

Generation 1

Generation 2

ASP.NET Core

ASP.NET MVC

ASP.NET Web Forms

Azure Service Bus

Azure Service Fabric

C# Web Services

Entity

NHibernate

Razor

Telerik

Mend SAST-supported C# vulnerability types

The C# vulnerability types detected by SAST are provided below and are organized by CWE ID within each of their identified severities.

C# high-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-22

Path/Directory Traversal

CWE-73

File Manipulation

CWE-78

Command Injection

CWE-79

Cross-Site Scripting

CWE-89

SQL Injection

CWE-94

Code Injection

CWE-94

Server Pages Execution

CWE-502

Deserialization of Untrusted Data

CWE-643

XPath Injection

CWE-918

Server-Side Request Forgery

C# medium-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-90

LDAP Injection

CWE-209

Error Messages Information Exposure

CWE-209

Console Output

CWE-244

Heap Inspection

Note: Starting in v23.8.1, this vulnerability type can be ignored for detection improvement for C# projects. Please reach out to your Mend Customer Success Manager (CSM) if you would like to enable this feature for your future C# scans. Read more on our v23.8.1 Release Notes.

CWE-319

Insufficient Transport Layer Protection

CWE-338

Weak Pseudo-Random

CWE-400

Sleep Denial of Service

CWE-400

Regex Denial of Service (ReDoS)

CWE-472

Hidden HTML Input

CWE-501

Trust Boundary Violation

CWE-611

XML External Entity (XXE) Injection

CWE-676

Miscellaneous Dangerous Functions

CWE-798

Hardcoded Password/Credentials

CWE-1336

Template Injection

C# Low-severity vulnerability types

CWE

Vulnerability Type

Generation 1

Generation 2

CWE-20

Cookie Injection

CWE-20

Mail Relay

CWE-20

Session Poisoning

CWE-113

HTTP Header Injection

CWE-113

HTTP Response Splitting

CWE-117

Log Forging

CWE-326

Weak Encryption Strength

CWE-434

File Upload

Note: Starting in v23.8.1, this vulnerability type can be ignored for detection improvement for C# projects. Please reach out to your Mend Customer Success Manager (CSM) if you would like to enable this feature for your future C# scans. Read more on our v23.8.1 Release Notes.

CWE-530

Dangerous File Extensions

CWE-601

Unvalidated/Open Redirect

CWE-614

Sensitive Cookie Without Secure

CWE-916

Weak Hash Strength

CWE-941

Arbitrary Server Connection

CWE-1004

Cookie Without 'HttpOnly' Flag

CWE-1333

Regex Denial of Service (ReDoS)

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.