Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update README.md #5

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Update README.md #5

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
0f08e1e
Update README.md
felickz Sep 15, 2022
fbcaf7b
Correct programming language java -> C#
peevees Nov 14, 2022
7e4855b
Merge pull request #7 from peevees/patch-1
felickz Mar 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
# Code Scanning C# Tutorial

Welcome to the Code Scanning C# Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains cross-site scripting vulnerability for demonstration purpose.
Welcome to the Code Scanning C# Tutorial! This tutorial will take you through how to set up Github Advanced Security: Code Scanning as well as interpret results that it may find. The following repository contains a cross-site scripting vulnerability for demonstration purpose.

## Introduction

Expand Down Expand Up @@ -39,11 +39,11 @@ Click `Set up code scanning`.

#### Setup Workflow

Click the `Setup this workflow` button by CodeQL Analysis.
Click the `Configure CodeQL alerts` button.

<img src="images/02-repo-security-setup-codeql-workflow.png" width="70%"/>

This will create a GitHub Actions Workflow file with CodeQL already set up. Since Java is a compiled language you will need to setup the build in later steps. See the [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system) if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.
This will create a GitHub Actions Workflow file with CodeQL already set up. Since C# is a compiled language you will need to setup the build in later steps. See the [documentation](https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/running-codeql-code-scanning-in-your-ci-system) if you would like to configure CodeQL Analysis with a 3rd party CI system instead of using GitHub Actions.
</p>
</details>

Expand Down Expand Up @@ -163,7 +163,7 @@ Click `show paths` in order to see the dataflow path that resulted in this alert

<summary>Fix the Security Alert</summary>

In order to fix this specific alert, we will need to ensure the content being write to the `HttpContext`'s response is validated and sanitized.
In order to fix this specific alert, we will need to ensure the content being written to the `HttpContext`'s response is both validated and sanitized.

Click on the `Code` tab and [Edit](https://docs.github.com/en/free-pro-team@latest/github/managing-files-in-a-repository/editing-files-in-your-repository) the file [`Autocomplete.ashx.cs`](./WebGoat/WebGoatCoins/Autocomplete.ashx.cs) in the `WebGoat/WebGoatCoins` folder. For this demonstration purpose, we will simply write some hardcoded value to the `HttpContext` instance, this granatees the parameter is sanitized and safe.

Expand Down